1. 首页
  2. 问答
  3. 访问Active Directory所需的权限?

访问Active Directory所需的权限?

2012-04-25 148 views
4

嗨,访问Active Directory所需的权限?

我在IIS中有一个服务HOSTEN是runnes验证码:

DirectoryEntry objADAM = default(DirectoryEntry); 
      // Binding object. 
      DirectoryEntry objGroupEntry = default(DirectoryEntry); 
      // Group Results. 
      DirectorySearcher objSearchADAM = default(DirectorySearcher); 
      // Search object. 
      SearchResultCollection objSearchResults = default(SearchResultCollection); 
      // Binding path. 
      ActiveDirectory result = new ActiveDirectory(); 
      ActiveDirectoryItem treeNode; 

      // Get the AD LDS object. 
      try 
      { 
       if (pathToAD.Length > 0) 
        objADAM = new DirectoryEntry(pathToAD); 
       else 
        objADAM = new DirectoryEntry(); 
       objADAM.RefreshCache(); 
      } 
      catch (Exception e) 
      { 
       throw e; 
      } 

      // Get search object, specify filter and scope, 
      // perform search. 
      try 
      { 
       objSearchADAM = new DirectorySearcher(objADAM); 
       objSearchADAM.Filter = "(&(objectClass=group))"; 
       objSearchADAM.SearchScope = SearchScope.Subtree; 
       objSearchResults = objSearchADAM.FindAll(); 
      } 
      catch (Exception e) 
      { 
       throw e; 
      } 

      // Enumerate groups 
      try 
      { 
       if (objSearchResults.Count != 0) 
       { 
        //SearchResult objResult = default(SearchResult); 
        foreach (SearchResult objResult in objSearchResults) 
        { 
         objGroupEntry = objResult.GetDirectoryEntry(); 
         result.ActiveDirectoryTree.Add(new ActiveDirectoryItem() { Id = objGroupEntry.Guid, ParentId = objGroupEntry.Parent.Guid, AccountName = objGroupEntry.Name, Type = ActiveDirectoryType.Group, PickableNode = false }); 

         foreach (object child in objGroupEntry.Properties["member"]) 
         { 
          treeNode = new ActiveDirectoryItem(); 
          var path = "LDAP://" + child.ToString().Replace("/", "\\/"); 
          using (var memberEntry = new DirectoryEntry(path)) 
          { 

           if (memberEntry.SchemaEntry.Name.CompareTo("group") != 0 && memberEntry.Properties.Contains("sAMAccountName") && memberEntry.Properties.Contains("objectSid")) 
           { 
            treeNode.Id = Guid.NewGuid(); 
            treeNode.ParentId = objGroupEntry.Guid; 
            treeNode.AccountName = memberEntry.Properties["sAMAccountName"][0].ToString(); 
            treeNode.Type = ActiveDirectoryType.User; 
            treeNode.PickableNode = true; 
            treeNode.FullName = memberEntry.Properties["Name"][0].ToString(); 

            byte[] sidBytes = (byte[])memberEntry.Properties["objectSid"][0]; 
            treeNode.ObjectSid = new System.Security.Principal.SecurityIdentifier(sidBytes, 0).ToString(); 

            result.ActiveDirectoryTree.Add(treeNode); 
           } 
          } 
         } 
        } 
       } 
       else 
       { 
        throw new Exception("No groups found"); 
       } 
      } 
      catch (Exception e) 
      { 
       throw new Exception(e.Message); 
      } 

      return result;

这在我的开发环境,但在客户工作正常,我们得到这个异常:

指定的目录服务属性或值不存在

我认为这可能必须做与Active Directory的权利?

什么帐户需要ActiveDirectory和需要什么级别的权限?

来源

2012-04-25 Banshee

+0

只要您是域的成员,您只需要读取每个用户拥有的AD访问权限即可。您是否使用作为域成员的帐户运行该应用程序,并登录到该域? – 2012-04-25 17:15:03

回答

0

运行该线程的帐户需要具有对AD的读取权限。所有域帐户都有此权限。

要长话短说,请确认HttpContext.Current.User.Identity.Name的值是一个域帐户。

如果Web应用程序配置为具有匿名访问权,那么很可能不会。

来源

2012-05-05 06:54:51

相关问题

 相关问题