How can I determine if a Windows Identity corresponds to a local or a domain user?

后端 未结 2 976
醉酒成梦
醉酒成梦 2021-02-06 16:22

I have a WindowsIdentity, which corresponds to an authenticated user. How can I determine if the identity corresponds to a Local User on the machine, a domain user who has been

相关标签:
2条回答
  • 2021-02-06 16:25

    Not sure about mapped domain Admins. I just check for Local and domain Admin of the domain the user is a logged into. Dont access the strings like "builtin\Admin" they differ based on OS language version.

    I like to use .net 4.5 Principals approach. You can do something similar if you can use 4.5

    So with regard to the Question How can I differentiate between

    • DomainUser and LocalUsers
    • LocalUser and MappedDomainUser
    • DomainUser and MappedDomainUser

    Sample code

    using System;
    using System.DirectoryServices.ActiveDirectory;
    using System.Security.Principal
    namespace xxxxx
      {
      public class UserEnvTools
         {
    
        public static bool IsDomainAdmin()
        {   //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
            if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
                return false;
            var domainAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid,
                                                      WindowsIdentity.GetCurrent().User.AccountDomainSid);
            var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
            return prin != null && (prin.IsInRole(domainAdmins));
        }
        public static bool IsDomainUser()
        {
            //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
            if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
                return false;
    
            var domainUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid,
                                                    WindowsIdentity.GetCurrent().User.AccountDomainSid);
            var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
            return prin != null && (prin.IsInRole(domainUsers));
        }
    
    public static bool IsLocalAdmin()
    {
    var localAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
    var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
    return prin != null && (prin.IsInRole(localAdmins));
    }
        public static bool IsLocalUser()
        {
            var localUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
            var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
            return prin != null && (prin.IsInRole(localUsers));
    
        }
        // Current security context applies  
        public static Domain GetCurrentUserDomain()
        {
            try
            {
                return System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
            }
            // It may be better not to ctach such errors?
            catch (ActiveDirectoryOperationException) // no Controller/AD Forest can not be contacted
            {return null;}
            catch (ActiveDirectoryObjectNotFoundException) // The USers Domain is not known to the controller
            {return null;}
        }
    
        public static Domain GetCurrentMachineDomain()
        {
            try
            {
                return System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain();
            }
            // It may be better not to ctach such errors?
            catch (ActiveDirectoryOperationException) // no controller or machine is not on a domain
            { return null; }
            catch (ActiveDirectoryObjectNotFoundException) // controller found, but the machine is not known
            { return null; }
        }
    
    0 讨论(0)
  • 2021-02-06 16:43

    Assuming WindowsIdentity.Name works like Environment.UserDomainName, if the user name begins with the machine name then it's not on the domain otherwise it is on the domain. This allows you to write

    public static bool IsDomain(WindowsIdentity identity)
    {
        string prefix = identity.Name.Split('\\')[0];
        if (prefix != Environment.MachineName)
            return true;
        else
            return false;
    }
    

    The UserDomainName property first attempts to get the domain name component of the Windows account name for the current user. If that attempt fails, this property attempts to get the domain name associated with the user name provided by the UserName property. If that attempt fails because the host computer is not joined to a domain, then the host computer name is returned.

    You may also filter against a list of available domains (e.g. stored in a DB) for the edge case that a computer name and the domain name are the same.

    0 讨论(0)
提交回复
热议问题