开发者

get active directory container objects for new user

问答 作者:

I want to create a tree of container objects in an active directory domain that a new user can be added to. I can recurse through the domain and get everything within the directory, but I want to limi开发者_运维知识库t my scope to ONLY containers that are valid for users.

What would an LDAP query look like to grab the children of a node that were suitable for a user object? Is there a better way to do this?

I'm using c#, System.DirectoryServices, and .net 3.5 if you are curious.

Thanks!

Check out the excellent MSDN article Managing Directory Security Principals in the .NET Framework 3.5 on how to use the new features in System.DirectoryServices.AccountManagement in .NET 3.5, if you haven't already.

In order to bind to your container, you need to know it's LDAP path and with this, you can establish a context based on that container:

PrincipalContext ctx = 
    new PrincipalContext(ContextType.Domain, "Fabrikam",
                         "ou=TechWriters,dc=fabrikam,dc=com");

With this context, you can now e.g. search for certain types of principals in that context:

// create a principal object representation to describe
// what will be searched 
UserPrincipal user = new UserPrincipal(ctx);

// define the properties of the search (this can use wildcards)
user.Enabled = false;
user.Name = "user*";

// create a principal searcher for running a search operation
PrincipalSearcher pS = new PrincipalSearcher();

// assign the query filter property for the principal object you created
// you can also pass the user principal in the 
// PrincipalSearcher constructor
pS.QueryFilter = user;

// run the query
PrincipalSearchResult<Principal> results = pS.FindAll();

Console.WriteLine("Disabled accounts starting with a name of 'user':");
foreach (Principal result in results)
{
    Console.WriteLine("name: {0}", result.Name);
}

Does that work for you? Is that what you're looking for?

If I understand your question correctly, what you want to know is what kind of objects in Active Directory can contain User object.

I think you can get the answer from the AD schema partition. I had a quick check on my schema partition which is running Windows 2003 AD. The User object is allowed to be assigned to OU, container, builtinDomain and domainDNS.

I didn't check Windows 2008 but I believe it should be the same. Many people know what OU and container are. Few people know what builtinDomain and domainDNS are. I doubt if it's useful in your case. builtinDomain is a special container used to contain the built-in account. By default, AD created a builtinDomain at CN=Builtin,DC=yourdomain,DC=com. domainDNS is your root domain path DC=yourdomain,DC=com.

Here is a function to find all kinds of objects in Active Directory under a particular node. If you think builtinDomain and domainDNS is not meaningful in your case, just take it out from the LDAP filter.

IEnumerable<DirectoryEntry> FindUserParentObject(DirectoryEntry root)
{
    using (DirectorySearcher searcher = new DirectorySearcher(root))
    {
        searcher.Filter = "(|(objectClass=organizationalUnit)(objectClass=container)(objectClass=builtinDomain)(objectClass=domainDNS))";
        searcher.SearchScope = SearchScope.Subtree;
        searcher.PageSize = 1000;
        foreach (SearchResult result in searcher.FindAll())
        {
            yield return result.GetDirectoryEntry();
        }
    }
}

继续阅读:active-directorydirectoryservicesldap

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9