« Active directory » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
(→LDAP) |
|||
Ligne 57 : | Ligne 57 : | ||
* [http://samirvaidya.blogspot.ch/2012/06/using-active-directory-web-services-in.html Using Active Directory Web Services in C#/Visual Studio] | * [http://samirvaidya.blogspot.ch/2012/06/using-active-directory-web-services-in.html Using Active Directory Web Services in C#/Visual Studio] | ||
* [https://msdn.microsoft.com/en-us/library/dd303811.aspx Example of ChangePassword] | * [https://msdn.microsoft.com/en-us/library/dd303811.aspx Example of ChangePassword] | ||
= [https://docs.microsoft.com/en-us/troubleshoot/developer/visualstudio/csharp/language-compilers/add-user-local-system Local users and groups] = | |||
<kode lang='cs'> | |||
var ad = new DirectoryEntry($"WinNT://{Environment.MachineName},computer"); | |||
var user = ad.Children.Find("Bibi", "user"); | |||
var adminGroup = ad.Children.Find("Administrators", "group"); | |||
adminGroup.Invoke("Add", new object[] { user.Path }); // add the user to the admin group | |||
</kode> | |||
= LDAP = | = LDAP = |
Version du 20 février 2022 à 17:12
Installation sur Windows Server 2012
Server Manager Dashboard → Add roles and features → Role-based
- AD Domain Services
- AD Federation Services
Server Manager Dashboard → AD DS → more → promote this server to a domain controller
- Add a New Forest
- Root domain name: domain.ch
Le serveur doit avoir une IP fixe. |
Scripts PowerShell
Installer Remote Server Administration Tools for Windows 10 si besoin (The specified module 'activedirectory' was not loaded) |
import-module activedirectory # Afficher toutes les propriétés des tous les comptes *NAME* Get-ADUser -Filter {EmailAddress -like "*NAME*"} -properties * # Afficher tous les comptes utilisateur Get-ADUser -Filter {ObjectClass -eq "user"} # Afficher tous les comptes utilisateur *NAME* Get-ADObject -Filter {(mail -like "*NAME*") -and (ObjectClass -eq "user")} |
Ajouter un utilisateur
- Server Manager → AD DS → clique-droit sur le serveur → AD Users and Computers
- clique-droit sur domain.ch → New → Organisational Unit
- clique-droit sur l'OU → New → User
ADWS
- Endpoints par défaut: netTCP Binding sur le port 9389
- pas de support HTTP-binding
NetTcpBinding tcpBind = new NetTcpBinding(); var acctMgmt = new ADWSSvc.AccountManagementClient(tcpBind, new EndpointAddress("net.tcp://localhost:9389/ActiveDirectoryWebServices/Windows/AccountManagement")); acctMgmt.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation; var adPrincipal = acctMgmt.GetADGroupMember("ldap:389", "CN=Domain Admins,CN=Users,DC=corp,DC=claimsauth,DC=com", "DC=corp,DC=claimsauth,DC=com", true); foreach (var item in adPrincipal) { Console.WriteLine(item.Name); Console.WriteLine(item.DistinguishedName); Console.WriteLine(item.SamAccountName); } |
Liens
- What's New in AD DS: Active Directory Web Services
- ADWS with HTTP Binding and access from a Java Client
- Active Directory Web Services Overview
- How to view SOAP XML messages to and from AD Webservices and Powershell
- Using Active Directory Web Services in C#/Visual Studio
- Example of ChangePassword
Local users and groups
var ad = new DirectoryEntry($"WinNT://{Environment.MachineName},computer"); var user = ad.Children.Find("Bibi", "user"); var adminGroup = ad.Children.Find("Administrators", "group"); adminGroup.Invoke("Add", new object[] { user.Path }); // add the user to the admin group |
LDAP
User Info
string adminUser = "Administrator"; string adminPassword = "xxx"; string container = "DC=domain,DC=ch"; string domainController = "DOMAIN-CONTROLLER-NAME"; string userName = "user"; string newPassword = "xxx"; const AuthenticationTypes authenticationTypes = AuthenticationTypes.Secure | AuthenticationTypes.Sealing | AuthenticationTypes.ServerBind; DirectoryEntry searchRoot = null; DirectorySearcher searcher = null; DirectoryEntry userEntry = null; try { searchRoot = new DirectoryEntry($"LDAP://{domainController}/{container}", adminUser, adminPassword, authenticationTypes); searchRoot = new DirectoryEntry($"GC://{domainController}", adminUser, adminPassword, authenticationTypes); searcher = new DirectorySearcher(searchRoot); searcher.Filter = String.Format("sAMAccountName={0}", userName); searcher.SearchScope = SearchScope.Subtree; searcher.CacheResults = false; SearchResult searchResult = searcher.FindOne(); ; if (searchResult == null) { output["Error"] = "User Not Found In This Domain"; return output; } userEntry = searchResult.GetDirectoryEntry(); output["Name"] = userEntry.Name; // CN=User foreach (PropertyValueCollection p in userEntry.Properties) { object v; if (p.Value is object[] o) { v = string.Join(", ", o); } else { v = p.Value; } output[p.PropertyName] = v.ToString(); // objectClass → top, person, organizationalPerson, user // givenName / displayName / name → User // sAMAccountName → user // userPrincipalName → user@domain.ch } return output; } catch (Exception ex) { output["Exception"] = ex.Message; return output; } finally { if (userEntry != null) userEntry.Dispose(); if (searcher != null) searcher.Dispose(); if (searchRoot != null) searchRoot.Dispose(); } |
Change Password
string adminUser = "Administrator"; string adminPassword = "xxx"; string container = "DC=domain,DC=ch"; string domainController = "DOMAIN-CONTROLLER-NAME"; string userName = "user"; string newPassword = "xxx"; const AuthenticationTypes authenticationTypes = AuthenticationTypes.Secure | AuthenticationTypes.Sealing | AuthenticationTypes.ServerBind; DirectoryEntry searchRoot = null; DirectorySearcher searcher = null; DirectoryEntry userEntry = null; try { searchRoot = new DirectoryEntry($"LDAP://{domainController}/{container}", adminUser, adminPassword, authenticationTypes); searcher = new DirectorySearcher(searchRoot); searcher.Filter = String.Format("sAMAccountName={0}", userName); searcher.SearchScope = SearchScope.Subtree; searcher.CacheResults = false; SearchResult searchResult = searcher.FindOne(); ; if (searchResult == null) return "User Not Found In This Domain"; userEntry = searchResult.GetDirectoryEntry(); userEntry.Invoke("SetPassword", new object[] { newPassword }); userEntry.CommitChanges(); return "New password set"; } catch (Exception ex) { return ex.ToString(); } finally { if (userEntry != null) userEntry.Dispose(); if (searcher != null) searcher.Dispose(); if (searchRoot != null) searchRoot.Dispose(); } |
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Le compte qui fait tourner le service n'a pas le droit de modifier un password.
Specify an Identity for an Application Pool:
- IIS Manager → clique sur Application Pools
- clique-droit sur le site à modifier → Advanced Settings → Process Model → Identity
- Custom Account