Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
231 views
in Technique[技术] by (71.8m points)

c# - Getting members of an AD domain group using Sharepoint API

In my Sharepoint code I display a list of all defined users via:

foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
    ...
}

The great part is, I can add a domain security group to a Sharepoint group (like Visitors) thus adding many users at once (simpler administration). But my code doesn't see those users at least not until they log-in for the first time (if they have sufficient rights). In this case I can only see the domain security group SPUser object instance with its IsDomainGroup set to true.

Is it possible to get domain group members by means of Sharepoint without resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations = more administration: Sharepoint rights + AD rights).

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You can use the method SPUtility.GetPrincipalsInGroup (MSDN).

All parameters are self-explaining except string input, which is the NT account name of the security group:

bool reachedMaxCount;
SPWeb web = SPContext.Current.Web;
int limit = 100;
string group = "Domain\SecurityGroup";
SPPrincipalInfo[] users = SPUtility.GetPrincipalsInGroup(web, group, limit, out reachedMaxCount);

Please note that this method does not resolve nested security groups. Further the executing user is required to have browse user info permission (SPBasePermissions.BrowseUserInfo) on the current web.

Update:

private void ResolveGroup(SPWeb w, string name, List<string> users)
{
    foreach (SPPrincipalInfo i in SPUtility.GetPrincipalsInGroup(w, name, 100, out b))
    {
        if (i.PrincipalType == SPPrincipalType.SecurityGroup)
        {
          ResolveGroup(w, i.LoginName, users);
        }
        else
        {
          users.Add(i.LoginName);
        }
    }
}

List<string> users = new List<string>();
foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
  if (user.IsDomainGroup)
    {
      ResolveGroup(SPContext.Current.Web, user.LoginName, users);
    }
    else
    {
      users.Add(user.LoginName);
    }
}

Edit:

[...] resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations [...]

That's true, of course, but SharePoint has to lookup the AD as well. That's why a application pool service account is required to have read access to the AD. In other words, you should be safe executing queries against the AD if you run your code reverted to the process account.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...