Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

C# Check if Current Logged on user is Admin (Remote Machine)

I know there are several discussions about this subject but none really answer my exact question. I'm looking for a method that will check Remotely if a current logged on user has Admin rights. Whether he's a member of the local built in "administrators" group of the machine or member of a nested group inside "Administrators", such as "Domain Admins" for example. I found couple of methods but each provides only half solution.

Method #1 (work remotely but only checks the local "Administrators" Group):

private bool isAdmin()
{
    ArrayList mem2 = new ArrayList();
    string hostName = basicinfomodel.Loggedusername; //a username I get from another class
    try
    {
        using (DirectoryEntry machine = new DirectoryEntry("WinNT://" + mycomputer.myComputerName)) // remote computer that I get from another class
        {
            //get local admin group
            using (DirectoryEntry group = machine.Children.Find("Administrators", "Group"))
            {
                //get all members of local admin group
                object members = group.Invoke("Members", null);
                foreach (object member in (IEnumerable)members)
                {
                    //get account name
                    string accountName = new DirectoryEntry(member).Name;
                    mem2.Add(new DirectoryEntry(member).Name);
                }
            }
        }
    }
    catch (Exception ex)
    {
        // catch
    }

    if (mem2.Contains(hostName.ToUpper()) || mem2.Contains(hostName.ToLower()))
        return true;
    else
        return false;
}

Method #2 (check both local and domain admin privileges but not working remotely)

static bool isAdmin()
{
    WindowsIdentity User = new WindowsIdentity(@"user01");
    WindowsPrincipal princ = new WindowsPrincipal(User);
    return princ.IsInRole(WindowsBuiltInRole.Administrator);
}

so as I said, I did not find any Method that will answer both needs.

  1. check if the user truly has admin rights
  2. do it remotely

thanks for the help!

like image 962
Sagiv b.g Avatar asked Mar 19 '23 06:03

Sagiv b.g


2 Answers

Well, I think I found a way to do that, I'm sharing in case other people would want to use it. I played with couple of methods I found and created the following (seems to be working)

static bool isAdmin(string username, string machinename)
{
    using (PrincipalContext ctxMacine = new PrincipalContext(ContextType.Machine, machinename))
    {
        using (PrincipalContext ctxDomain = new PrincipalContext(ContextType.Domain))
        {
            UserPrincipal up = UserPrincipal.FindByIdentity(ctxDomain, IdentityType.SamAccountName, username);
            GroupPrincipal gp = GroupPrincipal.FindByIdentity(ctxMacine, "Administrators");

            foreach (UserPrincipal usr in gp.GetMembers(true))
            {
                if (up != null)
                {
                    if (up.SamAccountName.ToUpper() == usr.SamAccountName.ToUpper())
                    {
                        return true;
                    }
                }
            }
        }
    }
    return false;
}

Note
This is a naive implementation, you should validate your code, checking for null's and handle exceptions.

like image 113
Sagiv b.g Avatar answered Apr 08 '23 05:04

Sagiv b.g


Solution above is good, but it can throw too many exceptions for different cases and you have to be admin on that remote machine for run this method without exception.

So.. I dont want to catching all possible exceptions, and I want to do that fast as possible.

So for me, this is the best and fastest check of current user admin rights on remote machine:

    public static bool AdminCheck(string machineName)
    {
        if (Directory.Exists(string.Format("\\\\{0}\\admin$", machineName)))
        {
            return true;
        }

        return false;
    }

You cannot access administrative shares without admin rights and also they are automatically recreated when someone delete them. And to be honest.. I donť think that someone will try to delete the OS folder.

All closer informations you can find here: https://en.wikipedia.org/wiki/Administrative_share

like image 41
Blaato Avatar answered Apr 08 '23 06:04

Blaato