我使用 Active Directory 中的临时(基于时间的)组成员身份机制来临时用户访问组。
通过Powershell,添加用户非常简单:
$ts = New-TimeSpan -Start (Get-Date) -End (Get-date).AddSeconds(50000)
Add-ADGroupMember -Identity "mytest" -Members "kul" -MemberTimeToLive $ts
然后我可以查看用户以及剩余时间和TTL:
(Get-ADGroup 'mytest' -Property member -ShowMemberTimeToLive).member
<TTL=49891>,CN=kul,OU=Company,DC=test,DC=local
如何使用 C# / LDAP 添加和查看用户及其计数器?
DirectoryEntry
或 GroupPrincipal
正确获取此数据?我发现这是您的搜索中提供的控制搜索控件的一部分。 1.2.840.113556.1.4.2309 - LDAP_SERVER_LINK_TTL_OID
这是在 S.DS.P 中使用它的一个简单示例
var groupDN = "Your Group DN";
var showttlcontrol = new System.DirectoryServices.Protocols.DirectoryControl("1.2.840.113556.1.4.2309", null, true, true);
var request = new SearchRequest();
request.Controls.Add(showttlcontrol);
request.DistinguishedName = groupDN;
request.Scope = SearchScope.Subtree;
request.Attributes.AddRange(new string[] { "member" });
var response = (SearchResponse)connection.SendRequest(request);
var enumerator = response.Entries.GetEnumerator();
if (enumerator.MoveNext() && enumerator.Current is SearchResultEntry entry) {
var member = entry.Attributes["member"].GetValues(typeof(string)).Select(x => (string)x).FirstOrDefault();
Console.WriteLine(member);
}
我在锁定 PowerShell 方式获取组成员资格的 TTL 时发现了此页面。 是的,有保释的方式, (Get-ADGroup 'mytest' -Property member -ShowMemberTimeToLive).member 。 但您必须为 Active Directory 安装 RAST! 我 Bilde 应用程序向所有用户显示此属性,我无法传达所有工作站上都有 RAST 安装。
Add-Type -AssemblyName System.DirectoryServices.Protocols
$DC = [system.directoryservices.activedirectory.activedirectorysite]::GetComputerSite().servers[0].name
$groupDN = "CN=EX_ArchiveEstablish,OU=Exchange,OU=Applications,DC=sigal,DC=loc"
$LDAP_SERVER_LINK_OID = "1.2.840.113556.1.4.2309"
$showttlcontrol = New-Object System.DirectoryServices.Protocols.DirectoryControl($LDAP_SERVER_LINK_OID, $null, $true, $true);
$request = New-object System.DirectoryServices.Protocols.SearchRequest
$request.Controls.Add($showttlcontrol);
$request.DistinguishedName = $groupDN;
$request.Scope = "Subtree" ;
# Get Just on attribute $request.Attributes.Add("member")
$request.Attributes.AddRange(@("member","displayname","memberof","samaccountname"));
$LdapConnection = New-Object System.DirectoryServices.Protocols.LdapConnection($DC)
$respose = $LdapConnection.SendRequest($request)
$enumerator = $respose.Entries.GetEnumerator()
$Members = $respose.Entries.GetEnumerator().attributes.member
for ($i = 0 ; $i -lt $Members.Count ; $i++)
{write-host ([String]$Members[$i]) }
享受
多伦·齐伯