问题描述

这更像是一种好奇而不是寻求帮助，但我注意到当使用 PrincipalPermission 并验证用户是 Active Directory 中特定组的一部分时，它不会使用真正的组名，而是根据预Windows 2000 组名.通常这不会有什么不同 - 除非有人碰巧使这些值不同.

This is more of a curiosity than a request for help, but I noticed that when using PrincipalPermission and verifying a user is part of a specific group in Active Directory it will not use the true group name but instead validates against the pre-Windows 2000 group name instead. Ordinarily this wouldn't make a difference - unless someone happens to make these values different.

谁能想到为什么 .Net API 会使用该组名而不是真实"名称?这让我经历了数小时的悲痛和一些盲目的运气，最终弄明白了这一切.

Can anyone think of why the .Net API would use that group name instead of the "true" name? This caused me hours of grief and a bit of blind luck to finally figure it all out.

推荐答案

我会假设(没有自己测试和尝试过)PrincipalPermission 属性将使用 Active Directory 中的sAMAccountName"作为用户名和组名(例如用户"或JohnDoe")而不是您可能期望的专有名称"(DN)(CN=Users"、CN=John Doe").

I would assume (without having tested and tried this myself) that the PrincipalPermission attribute will use the "sAMAccountName" in Active Directory for user and group names (e.g. "Users" or "JohnDoe") instead of the "distinguished name" (DN) you might expect ("CN=Users", "CN=John Doe").

这背后的原因很可能是您正在处理的场景，例如独立服务器或 NT4 域.在这些情况下，您根本没有任何基于 AD 的专有名称 - 但您有 SAM 帐户名称.

The reasoning behind this will most likely be the scenario where you're working on e.g. a stand-alone server, or a NT4 domain. In those cases, you simply don't have any AD-based distinguished names - but you do have the SAM account names.

所以从某种意义上说，这乍一看似乎有点令人惊讶 - 但在我看来使用那些 SAM 帐户名称(前 AD 名称)确实有意义 - 你不同意吗?

So in a sense this might seems a bit surprising at first - but it does make sense in my opinion to use those SAM account names (pre-AD names) - don't you agree?

马克

这篇关于Active Directory 和 PrincipalPermission的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！