访问活动目录所需的权限

本文关键字:权限 活动 访问 | 更新日期: 2023-09-27 18:32:08

嗨,

我在IIS中有一个运行此代码的服务主机:

DirectoryEntry objADAM = default(DirectoryEntry);
            // Binding object. 
            DirectoryEntry objGroupEntry = default(DirectoryEntry);
            // Group Results. 
            DirectorySearcher objSearchADAM = default(DirectorySearcher);
            // Search object. 
            SearchResultCollection objSearchResults = default(SearchResultCollection);
            // Binding path. 
            ActiveDirectory result = new ActiveDirectory();
            ActiveDirectoryItem treeNode;
            // Get the AD LDS object. 
            try
            {
                if (pathToAD.Length > 0)
                    objADAM = new DirectoryEntry(pathToAD);
                else
                    objADAM = new DirectoryEntry();
                objADAM.RefreshCache();
            }
            catch (Exception e)
            {
                throw e;
            }
            // Get search object, specify filter and scope, 
            // perform search. 
            try
            {
                objSearchADAM = new DirectorySearcher(objADAM);
                objSearchADAM.Filter = "(&(objectClass=group))";
                objSearchADAM.SearchScope = SearchScope.Subtree;
                objSearchResults = objSearchADAM.FindAll();
            }
            catch (Exception e)
            {
                throw e;
            }
            // Enumerate groups 
            try
            {
                if (objSearchResults.Count != 0)
                {
                    //SearchResult objResult = default(SearchResult);
                    foreach (SearchResult objResult in objSearchResults)
                    {
                        objGroupEntry = objResult.GetDirectoryEntry();
                        result.ActiveDirectoryTree.Add(new ActiveDirectoryItem() { Id = objGroupEntry.Guid, ParentId = objGroupEntry.Parent.Guid, AccountName = objGroupEntry.Name, Type = ActiveDirectoryType.Group, PickableNode = false });
                        foreach (object child in objGroupEntry.Properties["member"])
                        {
                            treeNode = new ActiveDirectoryItem();
                            var path = "LDAP://" + child.ToString().Replace("/", "''/");
                            using (var memberEntry = new DirectoryEntry(path))
                            {
                                if (memberEntry.SchemaEntry.Name.CompareTo("group") != 0 && memberEntry.Properties.Contains("sAMAccountName") && memberEntry.Properties.Contains("objectSid"))
                                {
                                    treeNode.Id = Guid.NewGuid();
                                    treeNode.ParentId = objGroupEntry.Guid;
                                    treeNode.AccountName = memberEntry.Properties["sAMAccountName"][0].ToString();
                                    treeNode.Type = ActiveDirectoryType.User;
                                    treeNode.PickableNode = true;
                                    treeNode.FullName = memberEntry.Properties["Name"][0].ToString();
                                    byte[] sidBytes = (byte[])memberEntry.Properties["objectSid"][0];
                                    treeNode.ObjectSid = new System.Security.Principal.SecurityIdentifier(sidBytes, 0).ToString();
                                    result.ActiveDirectoryTree.Add(treeNode);
                                }
                            }
                        }
                    }
                }
                else
                {
                    throw new Exception("No groups found");
                }
            }
            catch (Exception e)
            {
                throw new Exception(e.Message);
            }
            return result;

这在我的开发环境中工作正常,但在客户处我们得到这个异常:

指定的目录服务属性或值不存在

我认为这可能与活动目录的权限有关?

什么帐户需要 ActiveDirectory,需要什么级别的权限?

访问活动目录所需的权限

运行线程的帐户需要具有 AD 的读取权限。 所有域帐户都具有此权限。

长话短说,请验证 HttpContext.Current.User.Identity.Name 的值是否为域帐户。

如果 Web 应用程序配置为具有匿名访问权限,则很可能不会。