Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I determine if a Windows Identity corresponds to a local or a domain user?

Tags:

c#

windows

I have a WindowsIdentity, which corresponds to an authenticated user. How can I determine if the identity corresponds to a Local User on the machine, a domain user who has been added to the machine or a domain not not added to the machine?

Lets just say I have 3 user accounts:

  • DomainUser (Member of domain users group, not added to any local group)
  • LocalUser (Local user created on the machine)
  • MappedDomainUser (Domain user who has been added to a group on the machine)

How can I differentiate between

  • DomainUser and LocalUsers
  • LocalUser and MappedDomainUser
  • DomainUser and MappedDomainUser

As of now I am depending on the username and checking if it starts with machine name. I then differentiate further by checking the groups of which the user is part of (if its part of All Domain Users). Not the best way I'm sure.

As I have the user sid from the WindowsIdentity.User property, can I use that somehow?

like image 870
SharePoint Newbie Avatar asked Feb 19 '23 08:02

SharePoint Newbie


1 Answers

Not sure about mapped domain Admins. I just check for Local and domain Admin of the domain the user is a logged into. Dont access the strings like "builtin\Admin" they differ based on OS language version.

I like to use .net 4.5 Principals approach. You can do something similar if you can use 4.5

So with regard to the Question How can I differentiate between

  • DomainUser and LocalUsers
  • LocalUser and MappedDomainUser
  • DomainUser and MappedDomainUser

Sample code

using System;
using System.DirectoryServices.ActiveDirectory;
using System.Security.Principal
namespace xxxxx
  {
  public class UserEnvTools
     {

    public static bool IsDomainAdmin()
    {   //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
        if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
            return false;
        var domainAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid,
                                                  WindowsIdentity.GetCurrent().User.AccountDomainSid);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(domainAdmins));
    }
    public static bool IsDomainUser()
    {
        //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
        if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
            return false;

        var domainUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid,
                                                WindowsIdentity.GetCurrent().User.AccountDomainSid);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(domainUsers));
    }

public static bool IsLocalAdmin()
{
var localAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
return prin != null && (prin.IsInRole(localAdmins));
}
    public static bool IsLocalUser()
    {
        var localUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(localUsers));

    }
    // Current security context applies  
    public static Domain GetCurrentUserDomain()
    {
        try
        {
            return System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
        }
        // It may be better not to ctach such errors?
        catch (ActiveDirectoryOperationException) // no Controller/AD Forest can not be contacted
        {return null;}
        catch (ActiveDirectoryObjectNotFoundException) // The USers Domain is not known to the controller
        {return null;}
    }

    public static Domain GetCurrentMachineDomain()
    {
        try
        {
            return System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain();
        }
        // It may be better not to ctach such errors?
        catch (ActiveDirectoryOperationException) // no controller or machine is not on a domain
        { return null; }
        catch (ActiveDirectoryObjectNotFoundException) // controller found, but the machine is not known
        { return null; }
    }
like image 128
phil soady Avatar answered Apr 27 '23 00:04

phil soady