问题描述
What is the fastest way to get a list of all members/users in a given AD group and determine whether or not a user is enabled (or disabled)?
We are potentially talking about 20K users, so I would like to avoid hitting the AD for each individual user.
解决方案
If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:
- Managing Directory Security Principals in the .NET Framework 3.5
- MSDN docs on System.DirectoryServices.AccountManagement
Basically, you can define a domain context and easily find users and/or groups in AD:
// set up domain context PrincipalContext ctx = new PrincipalContext(ContextType.Domain); // find the group in question GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere"); // if found.... if (group != null) { // iterate over members foreach (Principal p in group.GetMembers()) { Console.WriteLine("{0}: {1}", p.StructuralObjectClass, p.DisplayName); // do whatever you need to do to those members UserPrincipal theUser = p as UserPrincipal; if(theUser != null) { if(theUser.IsAccountLockedOut()) { ... } else { ... } } } }
The new S.DS.AM makes it really easy to play around with users and groups in AD!