如何检查[UserName]和[Password]的用户是否是[DomainName]的域管理员而没有模拟?
[英]How to check if user with [UserName] and [Password] is domain administrator of [DomainName] without impersonation?
问题描述
我可以检查用户域管理员的下一行代码:
using (Impersonation im = new Impersonation(UserName, Domain, Password))
{
System.Security.Principal.WindowsIdentity identity = System.Security.Principal.WindowsIdentity.GetCurrent();
bool isDomainAdmin = identity.IsDomainAdmin(Domain, UserName, Password);
if (!isDomainAdmin)
{
//deny access, for example
}
}
其中IsDomainAdmin - 是扩展方法
public static bool IsDomainAdmin(this WindowsIdentity identity, string domain, string userName, string password)
{
Domain d = Domain.GetDomain(new DirectoryContext(DirectoryContextType.Domain, domain, userName, password));
using (DirectoryEntry de = d.GetDirectoryEntry())
{
byte[] domainSIdArray = (byte[])de.Properties["objectSid"].Value;
SecurityIdentifier domainSId = new SecurityIdentifier(domainSIdArray, 0);
SecurityIdentifier domainAdminsSId = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, domainSId);
WindowsPrincipal wp = new WindowsPrincipal(identity);
return wp.IsInRole(domainAdminsSId);
}
}
但是,当调用方法IsDomainAdmin时,它会尝试将一些文件写入%LOCALAPPDATA%以供模拟用户使用,如果程序运行时不是管理员,则会抛出异常
无法加载文件或程序集'System.DirectoryServices,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b03f5f7f11d50a3a'或其依赖项之一。 未提供所需的模拟级别,或者提供的模拟级别无效。 (HRESULT异常:0x80070542)
3 个解决方案
解决方案1
3 已采纳 2012-03-13 13:02:44
您当然不需要用户的密码来验证用户是否是组的成员。 那你为什么不用DirectoryEntry或DirectorySearcher直接查询AD呢? 如果您还需要验证提供的密码是否正确,则可以使用PrincipalContext.ValidateCredentials在附加步骤中执行此操作。 (请参阅PrincipalContext.ValidateCredentials方法(字符串,字符串) )。
static void Main(string[] args) {
string userDomain = "somedomain";
string userName = "username";
string password = "apassword";
if (IsDomainAdmin(userDomain, userName)) {
string fullUserName = userDomain + @"\" + userName;
PrincipalContext context = new PrincipalContext(
ContextType.Domain, userDomain);
if (context.ValidateCredentials(fullUserName, password)) {
Console.WriteLine("Success!");
}
}
}
public static bool IsDomainAdmin(string domain, string userName) {
string adminDn = GetAdminDn(domain);
SearchResult result = (new DirectorySearcher(
new DirectoryEntry("LDAP://" + domain),
"(&(objectCategory=user)(samAccountName=" + userName + "))",
new[] { "memberOf" })).FindOne();
return result.Properties["memberOf"].Contains(adminDn);
}
public static string GetAdminDn(string domain) {
return (string)(new DirectorySearcher(
new DirectoryEntry("LDAP://" + domain),
"(&(objectCategory=group)(cn=Domain Admins))")
.FindOne().Properties["distinguishedname"][0]);
}
解决方案2
2 2012-03-14 08:45:31
我们修改了@jmh_gr应答,它似乎独立于"Domain Admins"组名。
static string BuildOctetString(SecurityIdentifier sid)
{
byte[] items = new byte[sid.BinaryLength];
sid.GetBinaryForm(items, 0);
StringBuilder sb = new StringBuilder();
foreach (byte b in items)
{
sb.Append(b.ToString("X2"));
}
return sb.ToString();
}
public static bool IsDomainAdmin(string domain, string userName)
{
using (DirectoryEntry domainEntry = new DirectoryEntry(string.Format("LDAP://{0}", domain)))
{
byte[] domainSIdArray = (byte[])domainEntry.Properties["objectSid"].Value;
SecurityIdentifier domainSId = new SecurityIdentifier(domainSIdArray, 0);
SecurityIdentifier domainAdminsSId = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, domainSId);
using (DirectoryEntry groupEntry = new DirectoryEntry(string.Format("LDAP://<SID={0}>", BuildOctetString(domainAdminsSId))))
{
string adminDn = groupEntry.Properties["distinguishedname"].Value as string;
SearchResult result = (new DirectorySearcher(domainEntry, string.Format("(&(objectCategory=user)(samAccountName={0}))", userName), new[] { "memberOf" })).FindOne();
return result.Properties["memberOf"].Contains(adminDn);
}
}
}
无论如何,感谢@jmh_gr的答案。
解决方案3
0 2014-10-03 11:16:35
使用@lluisfranco的代码
using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;
using System.Net.NetworkInformation;
using System.Security.Principal;
namespace Alpha.Code
{
public static class SecurityExtensions
{
public static bool IsDomainAdmin (this WindowsIdentity identity)
{
Domain d = Domain.GetDomain(new
DirectoryContext(DirectoryContextType.Domain, getDomainName()));
using (DirectoryEntry de = d.GetDirectoryEntry())
{
byte[] bdomSid = (byte[])de.Properties["objectSid"].Value;
string sdomainSid = sIDtoString(bdomSid);
WindowsPrincipal wp = new WindowsPrincipal(identity);
SecurityIdentifier dsid = new SecurityIdentifier(sdomainSid);
SecurityIdentifier dasid = new SecurityIdentifier(
WellKnownSidType.AccountDomainAdminsSid, dsid);
return wp.IsInRole(dasid);
}
}
public static string getDomainName()
{
return IPGlobalProperties.GetIPGlobalProperties().DomainName;
}
public static string sIDtoString(byte[] sidBinary)
{
SecurityIdentifier sid = new SecurityIdentifier(sidBinary, 0);
return sid.ToString();
}
}
}
使用范例:
if (WindowsIdentity.GetCurrent().IsDomainAdmin())
{
//Actions to do if user is domain admin
}
检查用户名和密码的类型是客户端还是管理员
[英]Check if for username and password the type is for a client or for a administrator
客户端/服务器应用程序,如何在不将用户名/密码传输到远程系统的情况下,以域用户身份在远程系统上创建进程?
[英]Client/Server app, how to create process on remote system as a domain user without transferring that users username/password to the remote system?
如何在asp.net mvc域名/用户名中进行路由,这样每个用户都有像facebook这样的“用户名”
[英]How to make routing in asp.net mvc domainname/username so each user has his “username” like facebook does
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.