C#操做域用戶ADHelper
在C#中操做域用戶,在項目中寫的幫助類:html
using System; using System.Collections.Generic; using System.DirectoryServices; using System.Linq; using System.Runtime.InteropServices; using System.Security.Principal; using System.Text; using System.Threading.Tasks; namespace ADS.BLL { public class ADHelper { /// ///域名 /// private static string DomainName = ActiveDirectory.GetDomainName; /// /// LDAP 地址 /// private static string LDAPDomain = "DC=" + ActiveDirectory.GetDomainName + ",DC=local"; /// /// LDAP綁定路徑 /// private static string ADPath = "LDAP://" + ActiveDirectory.GetDomainName; /// ///登陸賬號 /// private static string ADUser = ActiveDirectory.GetUserName; //administrator /// ///登陸密碼 /// private static string ADPassword = ConstantHelper.PASSWORD; /// ///扮演類實例 /// private static IdentityImpersonation impersonate = new IdentityImpersonation(ADUser, ADPassword, DomainName); /// ///用戶登陸驗證結果 /// public enum LoginResult { /// ///正常登陸 /// LOGIN_USER_OK = 0, /// ///用戶不存在 /// LOGIN_USER_DOESNT_EXIST, /// ///用戶賬號被禁用 /// LOGIN_USER_ACCOUNT_INACTIVE, /// ///用戶密碼不正確 /// LOGIN_USER_PASSWORD_INCORRECT } /// ///用戶屬性定義標誌 /// public enum ADS_USER_FLAG_ENUM { /// ///登陸腳本標誌。若是經過 ADSI LDAP 進行讀或寫操做時,該標誌失效。若是經過 ADSI WINNT,該標誌爲只讀。 /// ADS_UF_SCRIPT = 0X0001, /// ///用戶賬號禁用標誌 /// ADS_UF_ACCOUNTDISABLE = 0X0002, /// ///主文件夾標誌 /// ADS_UF_HOMEDIR_REQUIRED = 0X0008, /// ///過時標誌 /// ADS_UF_LOCKOUT = 0X0010, /// ///用戶密碼不是必須的 /// ADS_UF_PASSWD_NOTREQD = 0X0020, /// ///密碼不能更改標誌 /// ADS_UF_PASSWD_CANT_CHANGE = 0X0040, /// ///使用可逆的加密保存密碼 /// ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0X0080, /// ///本地賬號標誌 /// ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0X0100, /// ///普通用戶的默認賬號類型 /// ADS_UF_NORMAL_ACCOUNT = 0X0200, /// ///跨域的信任賬號標誌 /// ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 0X0800, /// ///工做站信任賬號標誌 /// ADS_UF_WORKSTATION_TRUST_ACCOUNT = 0x1000, /// ///服務器信任賬號標誌 /// ADS_UF_SERVER_TRUST_ACCOUNT = 0X2000, /// ///密碼永不過時標誌 /// ADS_UF_DONT_EXPIRE_PASSWD = 0X10000, /// /// MNS 賬號標誌 /// ADS_UF_MNS_LOGON_ACCOUNT = 0X20000, /// ///交互式登陸必須使用智能卡 /// ADS_UF_SMARTCARD_REQUIRED = 0X40000, /// ///當設置該標誌時,服務賬號(用戶或計算機賬號)將經過 Kerberos 委託信任 /// ADS_UF_TRUSTED_FOR_DELEGATION = 0X80000, /// ///當設置該標誌時,即便服務賬號是經過 Kerberos 委託信任的,敏感賬號不能被委託 /// ADS_UF_NOT_DELEGATED = 0X100000, /// ///此賬號須要 DES 加密類型 /// ADS_UF_USE_DES_KEY_ONLY = 0X200000, /// ///不要進行 Kerberos 預身份驗證 /// ADS_UF_DONT_REQUIRE_PREAUTH = 0X4000000, /// ///用戶密碼過時標誌 /// ADS_UF_PASSWORD_EXPIRED = 0X800000, /// ///用戶賬號可委託標誌 /// ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0X1000000 } public ADHelper() { } #region GetDirectoryObject /// <summary> /// 得到DirectoryEntry對象實例,以當前用戶登錄AD /// </summary> /// <returns></returns> private static DirectoryEntry GetDirectoryObject() { DirectoryEntry entry = new DirectoryEntry(ADPath, ADUser, ADPassword, AuthenticationTypes.Secure); return entry; } /// <summary> /// 根據指定用戶名和密碼得到相應DirectoryEntry實體 /// </summary> /// <param name="userName"></param> /// <param name="password"></param> /// <returns></returns> private static DirectoryEntry GetDirectoryObject(string userName, string password) { DirectoryEntry entry = new DirectoryEntry(ADPath, userName, password, AuthenticationTypes.None); return entry; } /// <summary> /// i.e. /CN=Users,DC=creditsights, DC=cyberelves, DC=Com /// </summary> /// <param name="domainReference"></param> /// <returns></returns> private static DirectoryEntry GetDirectoryObject(string domainReference) { DirectoryEntry entry = new DirectoryEntry(ADPath + domainReference, ADUser, ADPassword, AuthenticationTypes.Secure); return entry; } /// <summary> /// 得到以UserName,Password建立的DirectoryEntry /// </summary> /// <param name="domainReference"></param> /// <param name="userName"></param> /// <param name="password"></param> /// <returns></returns> private static DirectoryEntry GetDirectoryObject(string domainReference, string userName, string password) { DirectoryEntry entry = new DirectoryEntry(ADPath + domainReference, userName, password, AuthenticationTypes.Secure); return entry; } #endregion #region GetDirectoryEntry /// <summary> ///根據用戶公共名稱取得用戶的對象 ///用戶公共名稱 ///若是找到該用戶,則返回用戶的對象;不然返回 null /// </summary> /// <param name="commonName"></param> /// <returns></returns> public static DirectoryEntry GetDirectoryEntry(string commonName) { DirectoryEntry de = GetDirectoryObject(); DirectorySearcher deSearch = new DirectorySearcher(de); deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))"; deSearch.SearchScope = SearchScope.Subtree; try { SearchResult result = deSearch.FindOne(); de = new DirectoryEntry(result.Path); } catch { de = null; } return de; } /// <summary> ///根據用戶公共名稱和密碼取得用戶的對象。 ///用戶公共名稱 ///用戶密碼 ///若是找到該用戶,則返回用戶的 對象;不然返回null /// </summary> /// <param name="commonName"></param> /// <param name="password"></param> /// <returns></returns> public static DirectoryEntry GetDirectoryEntry(string commonName, string password) { DirectoryEntry de = GetDirectoryObject(commonName, password); DirectorySearcher deSearch = new DirectorySearcher(de); deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))"; deSearch.SearchScope = SearchScope.Subtree; try { SearchResult result = deSearch.FindOne(); de = new DirectoryEntry(result.Path); return de; } catch { return null; } } /// <summary> ///根據用戶賬號稱取得用戶的對象 ///用戶賬號名 ///若是找到該用戶,則返回用戶的對象;不然返回null /// </summary> /// <param name="sAMAccountName"></param> /// <returns></returns> public static DirectoryEntry GetDirectoryEntryByAccount(string sAMAccountName) { DirectoryEntry de = GetDirectoryObject(); DirectorySearcher deSearch = new DirectorySearcher(de); deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + sAMAccountName + "))"; deSearch.SearchScope = SearchScope.Subtree; try { SearchResult result = deSearch.FindOne(); de = new DirectoryEntry(result.Path); } catch { de = null; } return de; } /// <summary> ///根據用戶賬號和密碼取得用戶的對象 ///用戶賬號名 ///用戶密碼 ///若是找到該用戶,則返回用戶的 對象;不然返回null /// </summary> /// <param name="sAMAccountName"></param> /// <param name="password"></param> /// <returns></returns> public static DirectoryEntry GetDirectoryEntryByAccount(string sAMAccountName, string password) { DirectoryEntry de = GetDirectoryEntryByAccount(sAMAccountName); if (de != null) { string commonName = de.Properties["cn"][0].ToString(); if (GetDirectoryEntry(commonName, password) != null) return GetDirectoryEntry(commonName, password); else return null; } else { return null; } } /// <summary> ///根據組名取得用戶組的對象 ///組名 /// </summary> /// <param name="groupName"></param> /// <returns></returns> public static DirectoryEntry GetDirectoryEntryOfGroup(string groupName) { DirectoryEntry de = GetDirectoryObject(); DirectorySearcher deSearch = new DirectorySearcher(de); deSearch.Filter = "(&(objectClass=group)(cn=" + groupName + "))"; deSearch.SearchScope = SearchScope.Subtree; try { SearchResult result = deSearch.FindOne(); de = new DirectoryEntry(result.Path); return de; } catch { return null; } } #endregion #region GetProperty /// <summary> ///得到指定屬性名對應的值 ///屬性名稱 ///屬性值 /// </summary> /// <param name="de"></param> /// <param name="propertyName"></param> /// <returns></returns> public static string GetProperty(DirectoryEntry de, string propertyName) { if (de.Properties.Contains(propertyName)) { return de.Properties[propertyName][0].ToString(); } else { return string.Empty; } } /// <summary> ///得到指定搜索結果中指定屬性名對應的值 ///屬性名稱 ///屬性值 /// </summary> /// <param name="searchResult"></param> /// <param name="propertyName"></param> /// <returns></returns> public static string GetProperty(SearchResult searchResult, string propertyName) { if (searchResult.Properties.Contains(propertyName)) { return searchResult.Properties[propertyName][0].ToString(); } else { return string.Empty; } } #endregion /// <summary> ///設置指定的屬性值 ///屬性名稱 ///屬性值 /// </summary> /// <param name="de"></param> /// <param name="propertyName"></param> /// <param name="propertyValue"></param> public static void SetProperty(DirectoryEntry de, string propertyName, string propertyValue) { if (propertyValue != string.Empty || propertyValue != "" || propertyValue != null) { if (de.Properties.Contains(propertyName)) { de.Properties[propertyName][0] = propertyValue; } else { de.Properties[propertyName].Add(propertyValue); } } } /// <summary> ///建立新的用戶 ///DN 位置。例如:OU=共享平臺 或 CN=Users ///公共名稱 ///賬號 ///密碼 /// </summary> /// <param name="ldapDN"></param> /// <param name="commonName"></param> /// <param name="sAMAccountName"></param> /// <param name="password"></param> /// <returns></returns> public static DirectoryEntry CreateNewUser(string ldapDN, string commonName, string sAMAccountName, string password) { DirectoryEntry entry = GetDirectoryObject(); DirectoryEntry subEntry = entry.Children.Find(ldapDN); DirectoryEntry deUser = subEntry.Children.Add("CN=" + commonName, "user"); deUser.Properties["sAMAccountName"].Value = sAMAccountName; deUser.CommitChanges(); ADHelper.EnableUser(commonName); ADHelper.SetPassword(commonName, password); deUser.Close(); return deUser; } /// <summary> ///建立新的用戶。默認建立在Users單元下。 ///公共名稱 ///賬號 ///密碼 /// </summary> /// <param name="commonName"></param> /// <param name="sAMAccountName"></param> /// <param name="password"></param> /// <returns></returns> public static DirectoryEntry CreateNewUser(string commonName, string sAMAccountName, string password) { return CreateNewUser("CN=Users", commonName, sAMAccountName, password); } /// <summary> ///判斷指定公共名稱的用戶是否存在 ///用戶公共名稱 ///若是存在,返回true;不然返回false /// </summary> /// <param name="commonName"></param> /// <returns></returns> public static bool IsUserExists(string commonName) { DirectoryEntry de = GetDirectoryObject(); DirectorySearcher deSearch = new DirectorySearcher(de); deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))"; // LDAP 查詢串 SearchResultCollection results = deSearch.FindAll(); if (results.Count == 0) return false; else return true; } /// <summary> ///判斷用戶賬號是否激活 ///用戶賬號屬性控制器 ///若是用戶賬號已經激活,返回true;不然返回false /// </summary> /// <param name="userAccountControl"></param> /// <returns></returns> public static bool IsAccountActive(int userAccountControl) { int userAccountControl_Disabled = Convert.ToInt32(ADS_USER_FLAG_ENUM.ADS_UF_ACCOUNTDISABLE); int flagExists = userAccountControl & userAccountControl_Disabled; if (flagExists > 0) return false; else return true; } /// <summary> ///判斷用戶與密碼是否足夠以知足身份驗證進而登陸 ///用戶公共名稱 ///密碼 ///如能可正常登陸,則返回 true;不然返回 false /// </summary> /// <param name="commonName"></param> /// <param name="password"></param> /// <returns></returns> public static LoginResult Login(string commonName, string password) { DirectoryEntry de = GetDirectoryEntry(commonName); if (de != null) { // 必須在判斷用戶密碼正確前,對賬號激活屬性進行判斷;不然將出現異常。 int userAccountControl = Convert.ToInt32(de.Properties["userAccountControl"][0]); de.Close(); if (!IsAccountActive(userAccountControl)) return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE; if (GetDirectoryEntry(commonName, password) != null) return LoginResult.LOGIN_USER_OK; else return LoginResult.LOGIN_USER_PASSWORD_INCORRECT; } else { return LoginResult.LOGIN_USER_DOESNT_EXIST; } } /// <summary> ///判斷用戶賬號與密碼是否足夠以知足身份驗證進而登陸 ///用戶賬號 ///密碼 ///如能可正常登陸,則返回true;不然返回false /// </summary> /// <param name="sAMAccountName"></param> /// <param name="password"></param> /// <returns></returns> public static LoginResult LoginByAccount(string sAMAccountName, string password) { DirectoryEntry de = GetDirectoryEntryByAccount(sAMAccountName); if (de != null) { // 必須在判斷用戶密碼正確前,對賬號激活屬性進行判斷;不然將出現異常。 int userAccountControl = Convert.ToInt32(de.Properties["userAccountControl"][0]); de.Close(); if (!IsAccountActive(userAccountControl)) return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE; if (GetDirectoryEntryByAccount(sAMAccountName, password) != null) return LoginResult.LOGIN_USER_OK; else return LoginResult.LOGIN_USER_PASSWORD_INCORRECT; } else { return LoginResult.LOGIN_USER_DOESNT_EXIST; } } /// <summary> ///設置用戶密碼,管理員能夠經過它來修改指定用戶的密碼。 ///用戶公共名稱 ///用戶新密碼 /// </summary> /// <param name="commonName"></param> /// <param name="newPassword"></param> public static void SetPassword(string commonName, string newPassword) { DirectoryEntry de = GetDirectoryEntry(commonName); // 模擬超級管理員,以達到有權限修改用戶密碼 impersonate.BeginImpersonate(); de.Invoke("SetPassword", new object[] { newPassword }); impersonate.StopImpersonate(); de.Close(); } /// <summary> ///設置賬號密碼,管理員能夠經過它來修改指定賬號的密碼。 ///用戶賬號 ///用戶新密碼 /// </summary> /// <param name="sAMAccountName"></param> /// <param name="newPassword"></param> public static void SetPasswordByAccount(string sAMAccountName, string newPassword) { DirectoryEntry de = GetDirectoryEntryByAccount(sAMAccountName); // 模擬超級管理員,以達到有權限修改用戶密碼 IdentityImpersonation impersonate = new IdentityImpersonation(ADUser, ADPassword, DomainName); impersonate.BeginImpersonate(); de.Invoke("SetPassword", new object[] { newPassword }); impersonate.StopImpersonate(); de.Close(); } /// <summary> ///修改用戶密碼 ///用戶公共名稱 ///舊密碼 ///新密碼 /// </summary> /// <param name="commonName"></param> /// <param name="oldPassword"></param> /// <param name="newPassword"></param> public static void ChangeUserPassword(string commonName, string oldPassword, string newPassword) { // to-do: 須要解決密碼策略問題 DirectoryEntry oUser = GetDirectoryEntry(commonName); oUser.Invoke("ChangePassword", new Object[] { oldPassword, newPassword }); oUser.Close(); } /// <summary> ///啓用指定公共名稱的用戶 /// </summary> /// <param name="commonName"></param> public static void EnableUser(string commonName) { EnableUser(GetDirectoryEntry(commonName)); } /// <summary> /// 啓用指定的用戶 /// </summary> /// <param name="de"></param> public static void EnableUser(DirectoryEntry de) { impersonate.BeginImpersonate(); de.Properties["userAccountControl"][0] = ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_NORMAL_ACCOUNT | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_DONT_EXPIRE_PASSWD; de.CommitChanges(); impersonate.StopImpersonate(); de.Close(); } /// <summary> /// 禁用指定公共名稱的用戶 /// </summary> /// <param name="commonName"></param> public static void DisableUser(string commonName) { DisableUser(GetDirectoryEntry(commonName)); } /// <summary> /// 禁用指定的用戶 /// </summary> /// <param name="de"></param> public static void DisableUser(DirectoryEntry de) { impersonate.BeginImpersonate(); de.Properties["userAccountControl"][0] = ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_NORMAL_ACCOUNT | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_DONT_EXPIRE_PASSWD | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_ACCOUNTDISABLE; de.CommitChanges(); impersonate.StopImpersonate(); de.Close(); } /// <summary> ///將指定的用戶添加到指定的組中。默認爲Users下的組和用戶。 ///用戶公共名稱 ///組名 /// </summary> /// <param name="userCommonName"></param> /// <param name="groupName"></param> public static void AddUserToGroup(string userCommonName, string groupName) { DirectoryEntry oGroup = GetDirectoryEntryOfGroup(groupName); DirectoryEntry oUser = GetDirectoryEntry(userCommonName); impersonate.BeginImpersonate(); oGroup.Properties["member"].Add(oUser.Properties["distinguishedName"].Value); oGroup.CommitChanges(); impersonate.StopImpersonate(); oGroup.Close(); oUser.Close(); } /// <summary> ///將用戶從指定組中移除。默認爲Users下的組和用戶。 ///用戶公共名稱 /// </summary> /// <param name="userCommonName"></param> /// <param name="groupName"></param> public static void RemoveUserFromGroup(string userCommonName, string groupName) { DirectoryEntry oGroup = GetDirectoryEntryOfGroup(groupName); DirectoryEntry oUser = GetDirectoryEntry(userCommonName); impersonate.BeginImpersonate(); oGroup.Properties["member"].Remove(oUser.Properties["distinguishedName"].Value); oGroup.CommitChanges(); impersonate.StopImpersonate(); oGroup.Close(); oUser.Close(); } } /// <summary> /// 用戶模擬角色類。實如今程序段內進行用戶角色模擬。 /// </summary> public class IdentityImpersonation { [DllImport("advapi32.dll", SetLastError = true)] public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public extern static bool CloseHandle(IntPtr handle); // 要模擬的用戶的用戶名、密碼、域(機器名) private String _sImperUsername; private String _sImperPassword; private String _sImperDomain; // 記錄模擬上下文 private WindowsImpersonationContext _imperContext; private IntPtr _adminToken; private IntPtr _dupeToken; // 是否已中止模擬 private Boolean _bClosed; /// <summary> ///構造函數 ///所要模擬的用戶的用戶名 ///所要模擬的用戶的密碼 ///所要模擬的用戶所在的域 /// </summary> /// <param name="impersonationUsername"></param> /// <param name="impersonationPassword"></param> /// <param name="impersonationDomain"></param> public IdentityImpersonation(String impersonationUsername, String impersonationPassword, String impersonationDomain) { _sImperUsername = impersonationUsername; _sImperPassword = impersonationPassword; _sImperDomain = impersonationDomain; _adminToken = IntPtr.Zero; _dupeToken = IntPtr.Zero; _bClosed = true; } /// <summary> /// 析構函數 /// </summary> ~IdentityImpersonation() { if (!_bClosed) { StopImpersonate(); } } /// <summary> /// 開始身份角色模擬。 /// </summary> /// <returns></returns> public Boolean BeginImpersonate() { Boolean bLogined = LogonUser(_sImperUsername, _sImperDomain, _sImperPassword, 2, 0, ref _adminToken); if (!bLogined) { return false; } Boolean bDuped = DuplicateToken(_adminToken, 2, ref _dupeToken); if (!bDuped) { return false; } WindowsIdentity fakeId = new WindowsIdentity(_dupeToken); _imperContext = fakeId.Impersonate(); _bClosed = false; return true; } /// <summary> /// 中止身分角色模擬。 /// </summary> public void StopImpersonate() { _imperContext.Undo(); CloseHandle(_dupeToken); CloseHandle(_adminToken); _bClosed = true; } } }
相關文章
- 1. 域操做類ADHelper
- 2. C\C++ 位域操做
- 3. C++ 類做用域
- 4. C++的做用域
- 5. mysql 用戶操做
- 6. Oracle 用戶操做
- 7. ubuntu用戶操做
- 8. 客戶端加入域操做
- 9. Linux:用戶&用戶組操做
- 10. CentOS用戶和用戶組的操做
- 更多相關文章...
- • Spring中Bean的作用域 - Spring教程
- • MySQL刪除用戶(DROP USER) - MySQL教程
- • C# 中 foreach 遍歷的用法
- • PHP Ajax 跨域問題最佳解決方案
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 域操做類ADHelper
- 2. C\C++ 位域操做
- 3. C++ 類做用域
- 4. C++的做用域
- 5. mysql 用戶操做
- 6. Oracle 用戶操做
- 7. ubuntu用戶操做
- 8. 客戶端加入域操做
- 9. Linux:用戶&用戶組操做
- 10. CentOS用戶和用戶組的操做