0

How can I know if a user is a member of the Administrator's group if the only information that I have is the user name (and domain if relevant)?

I do know how to get this information for the current user. However, in my case, I need to get this information for a user which is not logged in yet (I'm working on Credential Provider). Therefore, I can only use the user name & domain.

This issue is relevant only to Windows machines.

I'm working with C#/C++.

I am aware of C# WindowsPrincipal class as shown in: WindowsPrincipal

I am also aware of IsUserAnAdmin() Windows API. However, I cannot use these methods because I'm dealing with user which is not logged in yet (my code is executed before the user actually enters the Windows machine)

Community
  • 1
  • 1
g1500
  • 63
  • 1
  • 1
  • 8
  • have you tried cmd-line `net user /domain the_user_id` ? it returns a lot of stuff. – Jean-François Fabre Aug 22 '16 at 09:35
  • Admin privileges to what? files, a server, the pc they are on? are you running a website, a windows app, are you running it from a windows machine, or a unix machine? Theres just nothing like enough info to help you – BugFinder Aug 22 '16 at 09:35
  • 1
    Windows uses securable objects. The requirements to access an object (like a file or a process) are set for each object individually. There is no *"this user has access to everything"* user account, less so a flag that would indicate that. Why don't you ask the real question, instead of your solution? – IInspectable Aug 22 '16 at 09:45
  • Let me rephrase my question: I need to find a programatic way to know if a user is an administrator (member of the Administrators' group). If I was able to get this information for the current user, I could use IsUserAnAdmin() windows API or check via WindowsPrincipal class. I can't. I'm working on Credential Provider and the user is not logged in yet. – g1500 Aug 22 '16 at 10:25
  • Please [edit] your question to show [what you have tried so far](http://whathaveyoutried.com). You should include a [mcve] of the code that you are having problems with, then we can try to help with the specific problem. You should also read [ask]. – Toby Speight Aug 22 '16 at 14:59

1 Answers1

0

If "almost always right" is good enough, you'll need to recursively enumerate the user's group memberships to see whether or not you find the Administrators group. This isn't trivial, but it's not unreasonably difficult. There is no built-in library to do it for you.

The first catch is that this assumes you have sufficient access to the Active Directory to read all of the relevant groups. By default, the local system account will be able to do this, but you would need to prohibit the system administrator from changing the security permissions on the groups in such a way that domain computers can't read group memberships.

Also, I'm not sure what security context Credential Providers run in, so you might need a separate service running to enumerate the domain memberships on your behalf.

The second catch is that this won't include special security principals such as Everyone, INTERACTIVE, etc., but you can probably ignore these - it would be extremely unusual for any of them to be members of the Administrators group. If you think it necessary, you could attempt to include them, or you could explicitly prohibit the system administrator from doing this.

It would probably be more sensible to re-architecture as necessary so that you don't need to make this decision until you've already got the user's password.

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158