4

我有一个 WindowsIdentity,它对应于经过身份验证的用户。如何确定身份对应于机器上的本地用户、已添加到机器的域用户还是未添加到机器的域?

假设我有 3 个用户帐户:

  • DomainUser(域用户组的成员,未添加到任何本地组)
  • LocalUser(在机器上创建的本地用户)
  • MappedDomainUser(已添加到本机组的域用户)

我怎样才能区分

  • 域用户和本地用户
  • LocalUser 和 MappedDomainUser
  • DomainUser 和 MappedDomainUser

到目前为止,我依赖于用户名并检查它是否以机器名开头。然后,我通过检查用户所属的组(如果它是所有域用户的一部分)来进一步区分。我敢肯定,这不是最好的方法。

由于我有来自 WindowsIdentity.User 属性的用户 sid,我可以以某种方式使用它吗?

4

2 回答 2

8

不确定映射的域管理员。我只是检查用户登录的域的本地和域管理员。不要访问诸如“builtin\Admin”之类的字符串,它们因操作系统语言版本而异。

我喜欢使用 .net 4.5 Principals 方法。如果你可以使用 4.5,你可以做类似的事情

所以关于问题我如何区分

  • 域用户和本地用户
  • LocalUser 和 MappedDomainUser
  • DomainUser 和 MappedDomainUser

示例代码 

using System;
using System.DirectoryServices.ActiveDirectory;
using System.Security.Principal
namespace xxxxx
  {
  public class UserEnvTools
     {

    public static bool IsDomainAdmin()
    {   //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
        if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
            return false;
        var domainAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid,
                                                  WindowsIdentity.GetCurrent().User.AccountDomainSid);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(domainAdmins));
    }
    public static bool IsDomainUser()
    {
        //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
        if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
            return false;

        var domainUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid,
                                                WindowsIdentity.GetCurrent().User.AccountDomainSid);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(domainUsers));
    }

public static bool IsLocalAdmin()
{
var localAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
return prin != null && (prin.IsInRole(localAdmins));
}
    public static bool IsLocalUser()
    {
        var localUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(localUsers));

    }
    // Current security context applies  
    public static Domain GetCurrentUserDomain()
    {
        try
        {
            return System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
        }
        // It may be better not to ctach such errors?
        catch (ActiveDirectoryOperationException) // no Controller/AD Forest can not be contacted
        {return null;}
        catch (ActiveDirectoryObjectNotFoundException) // The USers Domain is not known to the controller
        {return null;}
    }

    public static Domain GetCurrentMachineDomain()
    {
        try
        {
            return System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain();
        }
        // It may be better not to ctach such errors?
        catch (ActiveDirectoryOperationException) // no controller or machine is not on a domain
        { return null; }
        catch (ActiveDirectoryObjectNotFoundException) // controller found, but the machine is not known
        { return null; }
    }
于 2012-09-02T14:18:46.810 回答
0

假设WindowsIdentity.Name像这样工作Environment.UserDomainName,如果用户名以机器名开头,那么它不在域上,否则它在域上。这允许你写

public static bool IsDomain(WindowsIdentity identity)
{
    string prefix = identity.Name.Split('\\')[0];
    if (prefix != Environment.MachineName)
        return true;
    else
        return false;
}

UserDomainName 属性首先尝试获取当前用户的 Windows 帐户名的域名部分。如果该尝试失败,此属性将尝试获取与 UserName 属性提供的用户名关联的域名。如果由于主机未加入域而导致该尝试失败,则返回主机名称。

对于计算机名称和域名相同的边缘情况,您还可以过滤可用域列表(例如存储在数据库中)。

于 2012-08-28T13:45:58.010 回答