AD中的组信息实际上并没有逻辑关系,因为一个用户可能在多个组中,一个组可能同时属于多个组,所以想到了用递归。 public class ADAccess { public StringBuilder GroupInfo { get; set; } public ADAccess() { this.GroupInfo = new StringBuilder(); } public void GetGroupsByUser(DirectoryEntry root, string userName) { List<string> uppers = GetGroups(root, TypeHelper.ADType.user, userName); foreach (string up in uppers) { if (!GroupInfo.ToString().Contains(up)) GroupInfo.Append(up + ";"); GetUserGroups(root, up); } } public void GetUserGroups(DirectoryEntry root, string groupName) { List<string> uppers = GetGroups(root, TypeHelper.ADType.group, groupName); foreach (string up in uppers) { if (!GroupInfo.ToString().Contains(up)) GroupInfo.Append(up + ";"); GetUserGroups(root, up); } } public string SplitString(string group) { string[] groups = group.Split(new char[] { ',' }); return groups[0]; } public List<string> GetGroups(DirectoryEntry root, TypeHelper.ADType adType, string name) { List<string> groups = new List<string>(); DirectorySearcher searcher = new DirectorySearcher(root); if(adType==TypeHelper.ADType.user) searcher.Filter = "(&(objectClass=user) (cn=" + name + "))"; else if(adType==TypeHelper.ADType.group) searcher.Filter = "(&(objectClass=group) (" + name + "))"; foreach (SearchResult result in searcher.FindAll()) { DirectoryEntry group = result.GetDirectoryEntry(); if (group.Properties.Contains("memberOf")) { if (group.Properties["memberOf"].Count == 1) groups.Add(SplitString(group.Properties["memberOf"].Value.ToString())); else { foreach (object obj in (object[])group.Properties["memberOf"].Value) { groups.Add(SplitString(obj.ToString())); } } } } return groups; } }