与TFS 2015（内部部署）的互动

Question

我正在为所有TFS项目，用户及其关联的TFS组创建一个导出文件以用于特定的TFS集合。 （使用ITeamProjectCollectionService，IIdentityManagementService）

我注意到我还收到了禁用的AD用户。我怎样才能从这个列表中过滤禁用的AD用户？我无法直接访问AD环境。 Microsoft.TeamFoundation.Server.Identity不包含此属性。

 Uri configurationServerUri = new Uri(environmentConfig.Uri); 
     TfsConfigurationServer configurationServer = TfsConfigurationServerFactory.GetConfigurationServer(configurationServerUri); 
     var tpcService = configurationServer.GetService<ITeamProjectCollectionService>(); 
     foreach (TeamProjectCollection tpc in tpcService.GetCollections()) 
     { 
      var tfsProjectCollection = new TfsTeamProjectCollection(new Uri(environmentConfig.Uri + "/" + tpc.Name), environmentCredential); 

      var vcs = tfsProjectCollection.GetService<VersionControlServer>(); 
      var sec = tfsProjectCollection.GetService<IGroupSecurityService>(); 

      var teamProjects = vcs.GetAllTeamProjects(false); 
      foreach (var teamProject in teamProjects) 
      { 
       var appGroups = sec.ListApplicationGroups(teamProject.ArtifactUri.AbsoluteUri); 

       foreach (var group in appGroups) 
       { 
        Identity[] groupMembers = sec.ReadIdentities(SearchFactor.Sid, new string[] { group.Sid }, QueryMembership.Expanded); 
        foreach (Identity member in groupMembers) 
        { 
         if (member.Members != null) 
         { 
          foreach (string memberSid in member.Members) 
          { 
           Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, memberSid, QueryMembership.Expanded); 
           if (memberInfo.Type != IdentityType.WindowsUser) 
            continue; 

           result.Add(new TfsPermission { Collection = tfsProjectCollection.Name, TeamProject = teamProject.Name, 
            User = memberInfo.AccountName, Domain = memberInfo.Domain, Group = group.DisplayName }); 
          } 
         } 
        } 
       } 
      } 
     } 

最好的问候， 延

Answer 1

你可以使用memberInfo.Domain == "DomainName"来判断，如果这个帐户是一个AD帐户。通常，如果身份是在TFS中添加的Windows帐户，则其memberInfo.Domain属性等于服务器名称而不是域名。

foreach (string memberSid in member.Members) 
{ 
     Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, memberSid, QueryMembership.Expanded); 
     if (memberInfo.Type == IdentityType.WindowsUser && memberInfo.Domain == "DomainName") 
     { 
           result.Add(new TfsPermission 
           { 
            Collection = tfsProjectCollection.Name, 
            TeamProject = teamProject.Name, 
            User = memberInfo.AccountName, 
            Domain = memberInfo.Domain, 
            Group = group.DisplayName 
           }); 
     } 
} 

然后要检查这些帐户是否在AD中被禁用，就像Starain说的那样，使用TFS API无法做到这一点。但是你可以用这个方法下面可以帮你检查每个帐户，您得到上面的，如果它是在公元禁用：find if user account is enabled or disabled in AD

const string accountName = "name"; // The accountName of AD user 
var principalContext = new PrincipalContext(ContextType.Domain, "domainNameHere", "AdminUser", "AdminPass"); 
var userPrincipal = UserPrincipal.FindByIdentity(principalContext, accountName); 

if (userPrincipal != null) 
{ 
    var dirEntry = userPrincipal.GetUnderlyingObject() as DirectoryEntry; 
    var status = IsAccountDisabled(dirEntry); 

} 

//Jugde if it is disabled in AD 
public static bool IsAccountDisabled(DirectoryEntry user) 
{ 
     const string uac = "userAccountControl"; 
     if (user.NativeGuid == null) return false; 

     if (user.Properties[uac] != null && user.Properties[uac].Value != null) 
     { 
      var userFlags = (UserFlags)user.Properties[uac].Value; 
      return userFlags.Contains(UserFlags.AccountDisabled); 
     } 

     return false; 
} 

然而，memberInfo.Type只能辨别身份是用户帐户或TFS组。众所周知，当您设置某人的权限时，您将选择添加一个帐户或TFS组。