[英]Identifying if a user is in the local administrators group
My Problem 我的问题
I'm using PInvoked Windows API functions to verify if a user is part of the local administrators group. 我正在使用PInvoked Windows API函数来验证用户是否属于本地管理员组。 I'm utilizing GetCurrentProcess
, OpenProcessToken
, GetTokenInformation
and LookupAccountSid
to verify if the user is a local admin. 我正在利用GetCurrentProcess
, OpenProcessToken
, GetTokenInformation
和LookupAccountSid
来验证用户是否是本地管理员。
GetTokenInformation
returns a TOKEN_GROUPS
struct with an array of SID_AND_ATTRIBUTES
structs. GetTokenInformation
返回带有TOKEN_GROUPS
结构数组的SID_AND_ATTRIBUTES
结构。 I iterate over the collection and compare the user names returned by LookupAccountSid
. 我遍历集合并比较LookupAccountSid
返回的用户名。
My problem is that, locally (or more generally on our in-house domain), this works as expected. 我的问题是,在本地(或更普遍地说,在我们内部的域中),这按预期工作。 The builtin\\Administrators is located within the group membership of the current process token and my method returns true. Builtin \\ Administrators位于当前流程令牌的组成员身份内,并且我的方法返回true。 On another domain of another developer the function returns false. 在另一个开发人员的另一个域上,该函数返回false。
The LookupAccountSid
functions properly for the first 2 iterations of the TOKEN_GROUPS
struct, returning None and Everyone, and then craps out complaining that "A Parameter is incorrect." LookupAccountSid
在TOKEN_GROUPS
结构的前2次迭代中正常运行,返回None和Everyone,然后抱怨“参数不正确”。
What would cause only two groups to work correctly? 是什么导致仅两个组正常工作?
The TOKEN_GROUPS
struct indicates that there are 14 groups. TOKEN_GROUPS
结构指示有14个组。 I'm assuming it's the SID that is invalid. 我假设这是无效的SID。
Everything that I have PInvoked I have taken from an example on the PInvoke website . 我已经调用了PInvoke 网站上的所有示例。 The only difference is that with the LookupAccountSid
I have changed the Sid
parameter from a byte[]
to a IntPtr
because SID_AND_ATTRIBUTES
is also defined with an IntPtr
. 唯一的区别是,通过LookupAccountSid
我将Sid
参数从byte[]
更改为IntPtr
因为SID_AND_ATTRIBUTES
也由IntPtr
定义。 Is this ok since LookupAccountSid
is defined with a PSID? 因为LookupAccountSid
是用PSID定义的,这样可以吗?
LookupAccountSid PInvoke LookupAccountSid PInvoke
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
static extern bool LookupAccountSid(
string lpSystemName,
IntPtr Sid,
StringBuilder lpName,
ref uint cchName,
StringBuilder ReferencedDomainName,
ref uint cchReferencedDomainName,
out SID_NAME_USE peUse);
Where the code falls over 代码落在哪里
for (int i = 0; i < usize; i++)
{
accountCount = 0;
domainCount = 0;
//Get Sizes
LookupAccountSid(null, tokenGroups.Groups[i].SID, null, ref accountCount, null,
ref domainCount, out snu);
accountName2.EnsureCapacity((int) accountCount);
domainName.EnsureCapacity((int) domainCount);
if (!LookupAccountSid(null, tokenGroups.Groups[i].SID, accountName2, ref accountCount, domainName,
ref domainCount, out snu))
{
//Finds its way here after 2 iterations
//But only in a different developers domain
var error = Marshal.GetLastWin32Error();
_log.InfoFormat("Failed to look up SID's account name. {0}", new Win32Exception(error).Message);
continue;
}
If more code is needed let me know. 如果需要更多代码,请告诉我。 Any help would be greatly appreciated. 任何帮助将不胜感激。
It sounds like you're trying to duplicate the functionality of NetUserGetLocalGroups
. 听起来您正在尝试复制NetUserGetLocalGroups
的功能。 You can also use NetUserGetInfo
with an information level of 1, and check the value of usri1_priv
in the USER_INFO_1
for USER_PRIV_ADMIN
. 您还可以使用信息级别为1的NetUserGetInfo
,并在USER_INFO_1
为USER_PRIV_ADMIN
检查usri1_priv
的值。
I'm not sure if NetUserGetLocalGroups knows about deny SIDs (If you need to verify if the current process (not the user account!) is in the admin group, you have to handle deny SIDs) 我不确定NetUserGetLocalGroups是否了解拒绝SID(如果您需要验证当前进程(不是用户帐户!)是否在admin组中,则必须处理拒绝SID。
If you only need to support 2000 and later, PInvoke CheckTokenMembership (That MSDN page has a IsUserAdmin example function) 如果只需要支持2000及更高版本,则可以使用PInvoke CheckTokenMembership (该MSDN页面具有IsUserAdmin示例功能)
On NT4 you need to get a TokenGroups array from GetTokenInformation, but you don't call LookupAccountSid, you just call EqualSid on every item and compare it to a admin group SID you create with AllocateAndInitializeSid(...,SECURITY_BUILTIN_DOMAIN_RID,...) 在NT4上,您需要从GetTokenInformation获取TokenGroups数组,但不调用LookupAccountSid,您只需在每个项目上调用EqualSid,然后将其与使用AllocateAndInitializeSid(...,SECURITY_BUILTIN_DOMAIN_RID,...)创建的管理组SID进行比较。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.