I have a WindowsIdentity, which corresponds to an authenticated user. How can I determine if the identity corresponds to a Local User on the machine, a domain user who has been added to the machine or a domain not not added to the machine?
Lets just say I have 3 user accounts:
How can I differentiate between
As of now I am depending on the username and checking if it starts with machine name. I then differentiate further by checking the groups of which the user is part of (if its part of All Domain Users). Not the best way I'm sure.
As I have the user sid from the WindowsIdentity.User property, can I use that somehow?
Not sure about mapped domain Admins. I just check for Local and domain Admin of the domain the user is a logged into. Dont access the strings like "builtin\Admin" they differ based on OS language version.
I like to use .net 4.5 Principals approach. You can do something similar if you can use 4.5
So with regard to the Question How can I differentiate between
Sample code
using System;
using System.DirectoryServices.ActiveDirectory;
using System.Security.Principal
namespace xxxxx
{
public class UserEnvTools
{
public static bool IsDomainAdmin()
{ //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario
if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
return false;
var domainAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid,
WindowsIdentity.GetCurrent().User.AccountDomainSid);
var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
return prin != null && (prin.IsInRole(domainAdmins));
}
public static bool IsDomainUser()
{
//returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario
if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
return false;
var domainUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid,
WindowsIdentity.GetCurrent().User.AccountDomainSid);
var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
return prin != null && (prin.IsInRole(domainUsers));
}
public static bool IsLocalAdmin()
{
var localAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
return prin != null && (prin.IsInRole(localAdmins));
}
public static bool IsLocalUser()
{
var localUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
return prin != null && (prin.IsInRole(localUsers));
}
// Current security context applies
public static Domain GetCurrentUserDomain()
{
try
{
return System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
}
// It may be better not to ctach such errors?
catch (ActiveDirectoryOperationException) // no Controller/AD Forest can not be contacted
{return null;}
catch (ActiveDirectoryObjectNotFoundException) // The USers Domain is not known to the controller
{return null;}
}
public static Domain GetCurrentMachineDomain()
{
try
{
return System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain();
}
// It may be better not to ctach such errors?
catch (ActiveDirectoryOperationException) // no controller or machine is not on a domain
{ return null; }
catch (ActiveDirectoryObjectNotFoundException) // controller found, but the machine is not known
{ return null; }
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With