1. 首頁
  2. 問答
  3. 訪問Active Directory所需的權限?

訪問Active Directory所需的權限?

2012-04-25 124 views
4

嗨,訪問Active Directory所需的權限?

我在IIS中有一個服務HOSTEN是runnes驗證碼:

DirectoryEntry objADAM = default(DirectoryEntry); 
      // Binding object. 
      DirectoryEntry objGroupEntry = default(DirectoryEntry); 
      // Group Results. 
      DirectorySearcher objSearchADAM = default(DirectorySearcher); 
      // Search object. 
      SearchResultCollection objSearchResults = default(SearchResultCollection); 
      // Binding path. 
      ActiveDirectory result = new ActiveDirectory(); 
      ActiveDirectoryItem treeNode; 

      // Get the AD LDS object. 
      try 
      { 
       if (pathToAD.Length > 0) 
        objADAM = new DirectoryEntry(pathToAD); 
       else 
        objADAM = new DirectoryEntry(); 
       objADAM.RefreshCache(); 
      } 
      catch (Exception e) 
      { 
       throw e; 
      } 

      // Get search object, specify filter and scope, 
      // perform search. 
      try 
      { 
       objSearchADAM = new DirectorySearcher(objADAM); 
       objSearchADAM.Filter = "(&(objectClass=group))"; 
       objSearchADAM.SearchScope = SearchScope.Subtree; 
       objSearchResults = objSearchADAM.FindAll(); 
      } 
      catch (Exception e) 
      { 
       throw e; 
      } 

      // Enumerate groups 
      try 
      { 
       if (objSearchResults.Count != 0) 
       { 
        //SearchResult objResult = default(SearchResult); 
        foreach (SearchResult objResult in objSearchResults) 
        { 
         objGroupEntry = objResult.GetDirectoryEntry(); 
         result.ActiveDirectoryTree.Add(new ActiveDirectoryItem() { Id = objGroupEntry.Guid, ParentId = objGroupEntry.Parent.Guid, AccountName = objGroupEntry.Name, Type = ActiveDirectoryType.Group, PickableNode = false }); 

         foreach (object child in objGroupEntry.Properties["member"]) 
         { 
          treeNode = new ActiveDirectoryItem(); 
          var path = "LDAP://" + child.ToString().Replace("/", "\\/"); 
          using (var memberEntry = new DirectoryEntry(path)) 
          { 

           if (memberEntry.SchemaEntry.Name.CompareTo("group") != 0 && memberEntry.Properties.Contains("sAMAccountName") && memberEntry.Properties.Contains("objectSid")) 
           { 
            treeNode.Id = Guid.NewGuid(); 
            treeNode.ParentId = objGroupEntry.Guid; 
            treeNode.AccountName = memberEntry.Properties["sAMAccountName"][0].ToString(); 
            treeNode.Type = ActiveDirectoryType.User; 
            treeNode.PickableNode = true; 
            treeNode.FullName = memberEntry.Properties["Name"][0].ToString(); 

            byte[] sidBytes = (byte[])memberEntry.Properties["objectSid"][0]; 
            treeNode.ObjectSid = new System.Security.Principal.SecurityIdentifier(sidBytes, 0).ToString(); 

            result.ActiveDirectoryTree.Add(treeNode); 
           } 
          } 
         } 
        } 
       } 
       else 
       { 
        throw new Exception("No groups found"); 
       } 
      } 
      catch (Exception e) 
      { 
       throw new Exception(e.Message); 
      } 

      return result;

這在我的開發環境,但在客戶工作正常,我們得到這個異常:

指定的目錄服務屬性或值不存在

我認爲這可能必須做與Active Directory的權利?

什麼帳戶需要ActiveDirectory和需要什麼級別的權限?

來源

2012-04-25 Banshee

+0

只要您是域的成員,您只需要讀取每個用戶擁有的AD訪問權限即可。您是否使用作爲域成員的帳戶運行該應用程序,並登錄到該域? – 2012-04-25 17:15:03

回答

0

運行該線程的帳戶需要具有對AD的讀取權限。所有域帳戶都有此權限。

要長話短說,請確認HttpContext.Current.User.Identity.Name的值是一個域帳戶。

如果Web應用程序配置爲具有匿名訪問權,那麼很可能不會。

來源

2012-05-05 06:54:51

相關問題

 相關問題