如何确定广告组是否包含来自其他(受信任)域的给定目录条目?

可以。找到它了。这就是诀窍。

我正在努力充实我的代码,以确定用户是否是给定广告组的成员。它基本上可以工作,除非该组的成员碰巧来自另一个(受信任)域,因为它存储为ForeignSecurityPrincipal。

(vb.net代码示例)

Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User

DSearcher = New DirectorySearcher
Dim DSearcher As New DirectorySearcher(ContainerGroup, getLDAPQueryStringUsingSID(containedGroup), New String() {"member;Range=0-5000"}, SearchScope.Base)

Return (DSearcher.FindOne() IsNot Nothing) 


** Helper Methods **

Private Function getLDAPQueryStringUsingSID(ByVal DEObject As DirectoryEntry) As String            
  Return "(objectSid=" + getSDDLSidForDirectoryEntry(DEObject) + ")"
End Function

Private Function getSDDLSidForDirectoryEntry(ByVal DEObject As DirectoryEntry) As String
      Dim bytes As Byte() = CType(DEObject.Properties("objectSid").Value, Byte())
      Dim sid As New System.Security.Principal.SecurityIdentifier(bytes, 0)
      Return sid.ToString
End Function