4

I have a WindowsIdentity, which corresponds to an authenticated user. How can I determine if the identity corresponds to a Local User on the machine, a domain user who has been added to the machine or a domain not not added to the machine?

Lets just say I have 3 user accounts:

  • DomainUser (Member of domain users group, not added to any local group)
  • LocalUser (Local user created on the machine)
  • MappedDomainUser (Domain user who has been added to a group on the machine)

How can I differentiate between

  • DomainUser and LocalUsers
  • LocalUser and MappedDomainUser
  • DomainUser and MappedDomainUser

As of now I am depending on the username and checking if it starts with machine name. I then differentiate further by checking the groups of which the user is part of (if its part of All Domain Users). Not the best way I'm sure.

As I have the user sid from the WindowsIdentity.User property, can I use that somehow?

Kiquenet
  • 14,494
  • 35
  • 148
  • 243
SharePoint Newbie
  • 5,974
  • 12
  • 62
  • 103
  • Checking if the username starts with machine name is ok, and works. You can also check to see if that user exists on the domain and compare the sids to see if it's the same user. – Delorean Aug 28 '12 at 13:33
  • I was wondering if I could use well know sid types and see which sids this user belongs too, however the WindowsIdentity.User does not seem to match any well known sids. – SharePoint Newbie Aug 28 '12 at 13:46
  • It's not really clear what you're trying to achieve here. Firstly, if an account in the domain is not a member of the Domain Users group, did you still want to count it as a domain account? Secondly, why do you want to distinguish between domain accounts that are members of any local group and those that are not? (Typically you would only need to check membership of some specific group.) Thirdly, do you want to include nested group memberships? – Harry Johnston Oct 05 '12 at 22:22
  • Useful http://stackoverflow.com/questions/9683373/how-to-check-if-user-with-username-and-password-is-domain-administrator-of – Kiquenet Oct 03 '14 at 11:09

2 Answers2

8

Not sure about mapped domain Admins. I just check for Local and domain Admin of the domain the user is a logged into. Dont access the strings like "builtin\Admin" they differ based on OS language version.

I like to use .net 4.5 Principals approach. You can do something similar if you can use 4.5

So with regard to the Question How can I differentiate between

  • DomainUser and LocalUsers
  • LocalUser and MappedDomainUser
  • DomainUser and MappedDomainUser

Sample code 

using System;
using System.DirectoryServices.ActiveDirectory;
using System.Security.Principal
namespace xxxxx
  {
  public class UserEnvTools
     {

    public static bool IsDomainAdmin()
    {   //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
        if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
            return false;
        var domainAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid,
                                                  WindowsIdentity.GetCurrent().User.AccountDomainSid);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(domainAdmins));
    }
    public static bool IsDomainUser()
    {
        //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
        if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
            return false;

        var domainUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid,
                                                WindowsIdentity.GetCurrent().User.AccountDomainSid);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(domainUsers));
    }

public static bool IsLocalAdmin()
{
var localAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
return prin != null && (prin.IsInRole(localAdmins));
}
    public static bool IsLocalUser()
    {
        var localUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(localUsers));

    }
    // Current security context applies  
    public static Domain GetCurrentUserDomain()
    {
        try
        {
            return System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
        }
        // It may be better not to ctach such errors?
        catch (ActiveDirectoryOperationException) // no Controller/AD Forest can not be contacted
        {return null;}
        catch (ActiveDirectoryObjectNotFoundException) // The USers Domain is not known to the controller
        {return null;}
    }

    public static Domain GetCurrentMachineDomain()
    {
        try
        {
            return System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain();
        }
        // It may be better not to ctach such errors?
        catch (ActiveDirectoryOperationException) // no controller or machine is not on a domain
        { return null; }
        catch (ActiveDirectoryObjectNotFoundException) // controller found, but the machine is not known
        { return null; }
    }
phil soady
  • 11,043
  • 5
  • 50
  • 95
  • Is that any clearer ? Im still not sure what Mapped user implies. An authenticated context is authenticated locally or in the current Domain/AD. I cant find reference to Mapped users in the docu. http://msdn.microsoft.com/en-us/library/wwzcae1f.aspx – phil soady Oct 05 '12 at 07:59
  • "Mapped user" is not a Microsoft term, but the question defined it to mean "a domain user who is a member of a local group". (That definition is actually somewhat ambiguous because it doesn't say whether or not to include nested group memberships.) – Harry Johnston Oct 05 '12 at 22:04
  • What's about `NETWORK_SERVICE,LOCAL SERVICE,LocalSystem,IIS APPPOOL` and http://stackoverflow.com/questions/5729264/what-are-all-the-user-accounts-for-iis-asp-net-and-how-do-they-differ ###### `WindowsIdentity NT AUTHORITY\NETWORK SERVICE UserDomainName: MYDOMAIN UserName: MYMACHINENAME$` ###### `WindowsIdentity NT AUTHORITY\LOCAL SERVICE UserDomainName: NT AUTHORITY UserName: LOCAL SERVICE` ###### `WindowsIdentity NT AUTHORITY\SYSTEM UserDomainName: MYDOMAIN UserName: SYSTEM` ###### `WindowsIdentity IIS APPPOOL\MyCustomAppPool UserDomainName: IIS APPPOOL UserName: MyCustomAppPool` – Kiquenet Oct 03 '14 at 06:14
0

Assuming WindowsIdentity.Name works like Environment.UserDomainName, if the user name begins with the machine name then it's not on the domain otherwise it is on the domain. This allows you to write

public static bool IsDomain(WindowsIdentity identity)
{
    string prefix = identity.Name.Split('\\')[0];
    if (prefix != Environment.MachineName)
        return true;
    else
        return false;
}

The UserDomainName property first attempts to get the domain name component of the Windows account name for the current user. If that attempt fails, this property attempts to get the domain name associated with the user name provided by the UserName property. If that attempt fails because the host computer is not joined to a domain, then the host computer name is returned.

You may also filter against a list of available domains (e.g. stored in a DB) for the edge case that a computer name and the domain name are the same.

P.Brian.Mackey
  • 43,228
  • 68
  • 238
  • 348
  • What's about `NETWORK_SERVICE,LOCAL SERVICE,LocalSystem,IIS APPPOOL` and http://stackoverflow.com/questions/5729264/what-are-all-the-user-accounts-for-iis-asp-net-and-how-do-they-differ ###### `WindowsIdentity NT AUTHORITY\NETWORK SERVICE UserDomainName: MYDOMAIN UserName: MYMACHINENAME$` ###### `WindowsIdentity NT AUTHORITY\LOCAL SERVICE UserDomainName: NT AUTHORITY UserName: LOCAL SERVICE` ###### `WindowsIdentity NT AUTHORITY\SYSTEM UserDomainName: MYDOMAIN UserName: SYSTEM` ###### `WindowsIdentity IIS APPPOOL\MyCustomAppPool UserDomainName: IIS APPPOOL UserName: MyCustomAppPool` – Kiquenet Oct 03 '14 at 06:14