问题描述
对于遇到相同问题的任何人来说,这与其说是一个问题,不如说是一个信息.
出现以下错误:
System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (87) occurred while enumerating the groups. The group's SID could not be resolved.
at System.DirectoryServices.AccountManagement.SidList.TranslateSids(String target, IntPtr[] pSids)
at System.DirectoryServices.AccountManagement.SidList.ctor(List`1 sidListByteFormat, String target, NetCred credentials)
at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.TranslateForeignMembers()
当运行以下代码并且组或子组包含 ForeignSecurityPrincipal 时:
When the following code is run and a group or child group contains a ForeignSecurityPrincipal:
private static void GetUsersFromGroup()
{
var groupDistinguishedName = "CN=IIS_IUSRS,CN=Builtin,DC=Domain,DC=com";
//NB: Exception thrown during iteration of members rather than call to GetMembers.
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "Domain", "Username", "Password"))
{
using (GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(ctx, IdentityType.DistinguishedName, groupDistinguishedName))
{
using (var searchResults = groupPrincipal.GetMembers(true))//Occurs when false also.
{
foreach (UserPrincipal item in searchResults.OfType())
{
Console.WriteLine("Found user: {0}", item.SamAccountName)
}
}
}
}
}
我向 Microsoft 拨打了支持电话,他们已确认这是一个问题.内部提出了一个错误,但尚未确认是否会修复.
Microsoft 建议使用以下解决方法代码,但由于重复调用 UserPrincipal.FindByIdentity,它在具有大量用户的组中表现不佳.
Microsoft suggested the following workaround code but it performs poorly on groups with a large number of users because of the repeated calls to UserPrincipal.FindByIdentity.
class Program
{
//"CN=IIS_IUSRS,CN=Builtin,DC=dev-sp-sandbox,DC=local"; //TODO MODIFY THIS LINE ACCORDING TO YOUR DC CONFIGURATION
static void Main(string[] args)
{
if (args.Length != 1)
{
Console.WriteLine("Usage: ListGroupMembers "group's DistinguishedName"");
Console.WriteLine("Example: ListGroupMembers "CN=IIS_IUSRS,CN=Builtin,DC=MyDomain,DC=local"");
return;
}
string groupDistinguishedName = args[0];
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "dev-sp-dc", "Administrator", "Corp123!");
List<UserPrincipal> users = new List<UserPrincipal>();
listGroupMembers(groupDistinguishedName, ctx, users);
foreach (UserPrincipal u in users)
{
Console.WriteLine(u.DistinguishedName);
}
}
//Recursively list the group's members which are not Foreign Security Principals
private static void listGroupMembers(string groupDistinguishedName, PrincipalContext ctx, List<UserPrincipal> users)
{
DirectoryEntry group = new DirectoryEntry("LDAP://" + groupDistinguishedName);
foreach (string dn in group.Properties["member"])
{
DirectoryEntry gpMemberEntry = new DirectoryEntry("LDAP://" + dn);
System.DirectoryServices.PropertyCollection userProps = gpMemberEntry.Properties;
object[] objCls = (userProps["objectClass"].Value) as object[];
if (objCls.Contains("group"))
listGroupMembers(userProps["distinguishedName"].Value as string, ctx, users);
if (!objCls.Contains("foreignSecurityPrincipal"))
{
UserPrincipal u = UserPrincipal.FindByIdentity(ctx, IdentityType.DistinguishedName, dn);
if(u!=null) // u==null for any other types except users
users.Add(u);
}
}
}
}
可以修改上面的代码以查找导致组问题的外国安全主体.
The above code could be modified to find foreign security principals causing problems in groups.
Microsoft 提供了有关外国安全主体的以下信息:
这是 AD 中的一类对象,它代表来自外部源(因此是另一个林/域或下面的特殊"帐户之一)的安全主体.该类记录在此处:http://msdn.microsoft.com/en-us/library/cc221858(v=PROT.10).aspx容器记录在此处:http://msdn.microsoft.com/en-us/library/cc200915(v=PROT.10).aspxFSP 不是 AD 中的真实对象,而是指向位于不同的受信任域/林中的对象的占位符(指针).它也可以是特殊身份"之一,即一堆知名帐户,这些帐户也被归类为 FSP,因为它们的 SID 与域 SID 不同.例如这里记录的匿名、经过身份验证的用户、批处理和其他几个帐户:http://technet.microsoft.com/en-us/library/cc779144(v=WS.10).aspx
This is a class of objects in AD which represents a security principal from an external source (so another forest/domain or one of the "special" accounts below). The class is documented here: http://msdn.microsoft.com/en-us/library/cc221858(v=PROT.10).aspx And the container is documented here : http://msdn.microsoft.com/en-us/library/cc200915(v=PROT.10).aspx A FSP is not a real object in AD, but rather a placeholder (pointer) to an object which lives in a different, trusted domain/forest. It can also be one of the "special identities" which are a bunch of well-known accounts who are also classed as FSP’s because their SID’s are different to the domain SID. For example the anonymous, Authenticated User, batch and several other accounts as documented here: http://technet.microsoft.com/en-us/library/cc779144(v=WS.10).aspx
推荐答案
当然这是一个旧线程,但可能对某人有所帮助.我使用下面的代码块来解决问题.Principal 类公开了一个名为 StructuralObjectClass 的属性,它告诉您该主体的 AD 类是什么.我用它来决定对象是否是用户.GetMembers(true) 递归搜索相关 groupPrincipal 中的所有嵌套成员.
Sure this is an old thread, but might help someone. I used the below code block the solve the problem. the Principal class exposes a property called StructuralObjectClass which tells you what is the AD Class of that principal. I used this to decide whether the object is a user. The GetMembers(true) recursively searches all nested-members in the groupPrincipal in question.
希望这对某人有所帮助.
Hope this helps someone.
List<UserPrincipal> members = new List<UserPrincipal>();
foreach (var principal in groupPrincipal.GetMembers(true))
{
var type = principal.StructuralObjectClass;
if (type.Contains("user"))
members.Add((UserPrincipal)principal);
}
谢谢,R
这篇关于当组(或子组,如果递归)包含 ForeignSecurityPrincipal 时 GroupPrincipal.GetMembers 失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!