代码之家 › 专栏 › 技术社区 › jimtut

通过添加/删除Outlook通讯组列表用户时出错。净额

distribution-list active-directory outlook .net c#

0

jimtut · 技术社区 · 7 年前

我是几个Outlook通讯组列表(DL)的共同所有者。我可以在Outlook中编辑它们,直接在其中添加和删除成员。但是,我无法通过简单的。NET程序:

using System;
using System.DirectoryServices.AccountManagement;

namespace DL_Remove_User
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                RemoveUser("My Distribution List", "jimtut");
            }
            catch (Exception ex)
            {
                Console.WriteLine("Error: " + ex.ToString());
            }
        }

        private static void RemoveUser(string dl, string username)
        {
            using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "CORP"))
            {
                GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, dl);
                bool result = group.Members.Remove(pc, IdentityType.SamAccountName, username);
                Console.WriteLine(result.ToString());
                group.Save();
            }
        }
    }
}

这段代码同样适用于许多其他DL,但对于一些DL,我收到消息“访问被拒绝”。完整堆栈跟踪:

at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()

at System.DirectoryServices.DirectoryEntry.CommitChanges()

at System.DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)

at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)

at System.DirectoryServices.AccountManagement.ADStoreCtx.Update(Principal p)

at System.DirectoryServices.AccountManagement.Principal.Save()

at Department_Distribution_Lists.Program.RemoveUser(String dl, String username) in Program.cs:line 483

当然,“访问被拒绝”确实表明存在权限问题,但我可以在Outlook中直接编辑这些DL。我甚至可以在AD/LDAP中查询DL“owners”,我在“msExchCoManagedByLink”集合中。

有没有想过为什么我可以在Outlook中编辑,但不能通过。网络?

1 回复 | 直到 7 年前

1

0

jimtut 5 年前

我终于弄明白了。我被这个权限问题弄糊涂了,因为我可以在Outlook中编辑DL,但不能通过。净额。

我开始寻找DL之间的差异,我可以通过编辑。NET和我无法找到的,并发现差异在该GUI中显示的AD属性中表示为“Manager可以更新成员列表”:

即使我是“经理”(列表所有者),如果DL没有该属性集,我也只能在Outlook中编辑。

我不想目视检查所有DL,所以我编写了以下代码来检测DL的“真正”所有者/编辑:

    static List<string> GetGroupOwners(GroupPrincipal group)
    {
        List<string> owners = new List<string>();
        DirectoryEntry deGroup = group.GetUnderlyingObject() as DirectoryEntry;
        ActiveDirectorySecurity ads = deGroup.ObjectSecurity;
        AuthorizationRuleCollection rules = ads.GetAccessRules(true, true, typeof(SecurityIdentifier));
        Guid exRight_Member = new Guid("{bf9679c0-0de6-11d0-a285-00aa003049e2}");

        foreach (ActiveDirectoryAccessRule ar in rules)
        {
            if (ar.ActiveDirectoryRights.HasFlag(ActiveDirectoryRights.GenericWrite) || (ar.ObjectType.Equals(exRight_Member) && ar.ActiveDirectoryRights.HasFlag(ActiveDirectoryRights.WriteProperty)))
            {
                string friendlyName = "";
                try
                {
                    friendlyName = ar.IdentityReference.Translate(typeof(NTAccount)).Value;
                }
                catch
                {
                }
                owners.Add(friendlyName);
            }
        }
        return owners;
    }

如果您想知道谁拥有基于Outlook的编辑权限,则不同:

    static List<string> GetGroupOwnersOutlook(GroupPrincipal group)
    {
        List<string> owners = new List<string>();
        DirectoryEntry deGroup = group.GetUnderlyingObject() as DirectoryEntry;
        System.DirectoryServices.PropertyCollection r = deGroup.Properties;
        foreach (string a in r["managedBy"])
        {
            owners.Add(a);
        }
        foreach (string a in r["msExchCoManagedByLink"])
        {
            owners.Add(a);
        }

        return owners;
    }