如何在不模拟的情况下检查具有[UserName]和[Password]的用户是否是[DomainName]的域管理员
本文关键字:管理员 Password 用户 是否是 UserName DomainName 模拟 情况下 检查 | 更新日期: 2023-09-27 18:27:42
模拟示例
我可以检查是用户域管理员与下一行代码:
using (Impersonation im = new Impersonation(UserName, Domain, Password))
{
System.Security.Principal.WindowsIdentity identity = System.Security.Principal.WindowsIdentity.GetCurrent();
bool isDomainAdmin = identity.IsDomainAdmin(Domain, UserName, Password);
if (!isDomainAdmin)
{
//deny access, for example
}
}
其中IsDomainAdmin-是扩展方法
public static bool IsDomainAdmin(this WindowsIdentity identity, string domain, string userName, string password)
{
Domain d = Domain.GetDomain(new DirectoryContext(DirectoryContextType.Domain, domain, userName, password));
using (DirectoryEntry de = d.GetDirectoryEntry())
{
byte[] domainSIdArray = (byte[])de.Properties["objectSid"].Value;
SecurityIdentifier domainSId = new SecurityIdentifier(domainSIdArray, 0);
SecurityIdentifier domainAdminsSId = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, domainSId);
WindowsPrincipal wp = new WindowsPrincipal(identity);
return wp.IsInRole(domainAdminsSId);
}
}
但是,当方法IsDomainAdmin被调用时,它正试图将一些文件写入模拟用户的%LOCALAPPDATA%,如果程序不是以管理员身份运行,它会抛出异常
未能加载文件或程序集"System.DirectoryServices,版本=4.0.0.0,区域性=中性,PublicKeyToken=b03f5f7f11d50a3a'或它的一个依赖项。不是必需的模拟级别提供,或者提供的模拟级别无效。(例外来自HRESULT:0x80070542)
您当然不需要用户的密码来验证用户是否是组的成员。那么,为什么不直接使用DirectoryEntry
或DirectorySearcher
查询AD呢?如果您还需要验证提供的密码是否正确,您可以在使用PrincipalContext.ValidateCredentials
的附加步骤中进行验证。(请参阅PrincipalContext.ValidateCredentials方法(String,String))。
static void Main(string[] args) {
string userDomain = "somedomain";
string userName = "username";
string password = "apassword";
if (IsDomainAdmin(userDomain, userName)) {
string fullUserName = userDomain + @"'" + userName;
PrincipalContext context = new PrincipalContext(
ContextType.Domain, userDomain);
if (context.ValidateCredentials(fullUserName, password)) {
Console.WriteLine("Success!");
}
}
}
public static bool IsDomainAdmin(string domain, string userName) {
string adminDn = GetAdminDn(domain);
SearchResult result = (new DirectorySearcher(
new DirectoryEntry("LDAP://" + domain),
"(&(objectCategory=user)(samAccountName=" + userName + "))",
new[] { "memberOf" })).FindOne();
return result.Properties["memberOf"].Contains(adminDn);
}
public static string GetAdminDn(string domain) {
return (string)(new DirectorySearcher(
new DirectoryEntry("LDAP://" + domain),
"(&(objectCategory=group)(cn=Domain Admins))")
.FindOne().Properties["distinguishedname"][0]);
}
我们修改了@jmh_gr答案,它似乎独立于"Domain Admins"
组名。
static string BuildOctetString(SecurityIdentifier sid)
{
byte[] items = new byte[sid.BinaryLength];
sid.GetBinaryForm(items, 0);
StringBuilder sb = new StringBuilder();
foreach (byte b in items)
{
sb.Append(b.ToString("X2"));
}
return sb.ToString();
}
public static bool IsDomainAdmin(string domain, string userName)
{
using (DirectoryEntry domainEntry = new DirectoryEntry(string.Format("LDAP://{0}", domain)))
{
byte[] domainSIdArray = (byte[])domainEntry.Properties["objectSid"].Value;
SecurityIdentifier domainSId = new SecurityIdentifier(domainSIdArray, 0);
SecurityIdentifier domainAdminsSId = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, domainSId);
using (DirectoryEntry groupEntry = new DirectoryEntry(string.Format("LDAP://<SID={0}>", BuildOctetString(domainAdminsSId))))
{
string adminDn = groupEntry.Properties["distinguishedname"].Value as string;
SearchResult result = (new DirectorySearcher(domainEntry, string.Format("(&(objectCategory=user)(samAccountName={0}))", userName), new[] { "memberOf" })).FindOne();
return result.Properties["memberOf"].Contains(adminDn);
}
}
}
无论如何,感谢@jmh_gr的回答。
@lluisfranco 使用此代码
using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;
using System.Net.NetworkInformation;
using System.Security.Principal;
namespace Alpha.Code
{
public static class SecurityExtensions
{
public static bool IsDomainAdmin (this WindowsIdentity identity)
{
Domain d = Domain.GetDomain(new
DirectoryContext(DirectoryContextType.Domain, getDomainName()));
using (DirectoryEntry de = d.GetDirectoryEntry())
{
byte[] bdomSid = (byte[])de.Properties["objectSid"].Value;
string sdomainSid = sIDtoString(bdomSid);
WindowsPrincipal wp = new WindowsPrincipal(identity);
SecurityIdentifier dsid = new SecurityIdentifier(sdomainSid);
SecurityIdentifier dasid = new SecurityIdentifier(
WellKnownSidType.AccountDomainAdminsSid, dsid);
return wp.IsInRole(dasid);
}
}
public static string getDomainName()
{
return IPGlobalProperties.GetIPGlobalProperties().DomainName;
}
public static string sIDtoString(byte[] sidBinary)
{
SecurityIdentifier sid = new SecurityIdentifier(sidBinary, 0);
return sid.ToString();
}
}
}
使用示例:
if (WindowsIdentity.GetCurrent().IsDomainAdmin())
{
//Actions to do if user is domain admin
}
来源:
http://geeks.ms/blogs/lfranco/archive/2009/11/25/how-to-191-como-saber-si-el-usuario-actual-es-administrador-del-dominio.aspx