Checking to see if a user is a domain Administrator

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hey all,

I need to verify that a provided username is a Domain Administrator. Any idea's on how to do this?

Thanks,

Jonny
 
I'd look up WindowsIdentity and WindowsPrincipal.IsInRole() in MSDN,
seems like the answer
 
Jonny said:
Hey all,

I need to verify that a provided username is a Domain Administrator. Any idea's on how to do this?
Click to expand...


Look at the sample code for WindowsIdentity.Impersonate(). That shows
how to get an WindowsIdentity using a username/password.

then take that Identity and create a WindowsPrincipal and call the
IsInRole() method:

bool isDomAdmin = new WindowsPrincipal(
WindowsIdentity.GetCurrent()).IsInRole(@"DOMAINNAME\Domain Admins")

There are several caveats with this:

- it requires unsafe code
- it won't work on Win9x
- it won't work in Win NT or Win 2000 unless the user context that
it's running under has the TCB privilege (LogonUser() needs that
privilege on those OS's to work)
- there is a bug with IsInROle( string) where the match on the role
name might be case-sensitive if the user belongs to more than 22 groups
(or something like that).
 
Hi Jonny:

Ah, in that case ...

Here is some code that would list all the users in the Administrators
group:

DirectoryEntry group =
new DirectoryEntry("WinNT://MACHINENAME/Administrators");
object members = group.Invoke("Members",null);
foreach( object member in (IEnumerable) members)
{
DirectoryEntry x = new DirectoryEntry(member);
Response.Write(x.Name);
Response.Write("<br>");
}

And a little code to list all the groups for a given user:

DirectoryEntry member = new DirectoryEntry("WinNT://MACHINE/USER");
object groups = member.Invoke("Groups", null);
foreach( object group in (IEnumerable) groups)
{
DirectoryEntry x = new DirectoryEntry(group);
Response.Write(x.Name);
Response.Write("<br>");
}


Hopefully that will help you out. Do you also need to validate the
password?

--s
 
I know on windows 2000 LogonUser requires some elevated permissions.

Are you on 2000 or XP / 2003?

Do you need the user token to do impersonation? Or just simply
validate the password?
 
Hi Scott,

I only need to validate the password, the method needs to be multi-OS, i.e. NT, 2K, XP and 2K3. It also needs to be pretty quick. I don't really have a problem if i have to different methods for each OS, its just preferable. The user running the App will more than likely be a Domain Administrator, if not they should not be running it in the first place.

Thanks again,
 
Hi Scott,

I only need to validate the password, the method needs to be multi-OS, i.e. NT, 2K, XP and 2K3. It also needs to be pretty quick. I don't really have a problem if i have to different methods for each OS, its just preferable. The user running the App will more than likely be a Domain Administrator, if not they should not be running it in the first place.

Thanks again,
 
Hi Scott,

I only need to validate the password, the method needs to be multi-OS, i.e. NT, 2K, XP and 2K3. It also needs to be pretty quick. I don't really have a problem if i have to different methods for each OS, its just preferable. The user running the App will more than likely be a Domain Administrator, if not they should not be running it in the first place.

Thanks again,
 
Jonny:

I dug around a little bit but I can't come up with any links on the
topic of LogonUser performance :/

--s
 
Back
Top