Checking to see if a user is a domain Administrator

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hey all,

I need to verify that a provided username is a Domain Administrator. Any idea's on how to do this?

Thanks,

Jonny
 
I'd look up WindowsIdentity and WindowsPrincipal.IsInRole() in MSDN,
seems like the answer
 
Although the following KB article is primarily targeted at forms
authentication in ASP.NET, it does demonstrate how to validate a
username and password against active directory and then find the
groups the user is a member of.

How to authenticate against the Active Directory by using Forms
authentication and Visual C# .NET
http://support.microsoft.com/default.aspx?scid=kb;en-us;316748
 
Jonny said:
Hey all,

I need to verify that a provided username is a Domain Administrator. Any idea's on how to do this?


Look at the sample code for WindowsIdentity.Impersonate(). That shows
how to get an WindowsIdentity using a username/password.

then take that Identity and create a WindowsPrincipal and call the
IsInRole() method:

bool isDomAdmin = new WindowsPrincipal(
WindowsIdentity.GetCurrent()).IsInRole(@"DOMAINNAME\Domain Admins")

There are several caveats with this:

- it requires unsafe code
- it won't work on Win9x
- it won't work in Win NT or Win 2000 unless the user context that
it's running under has the TCB privilege (LogonUser() needs that
privilege on those OS's to work)
- there is a bug with IsInROle( string) where the match on the role
name might be case-sensitive if the user belongs to more than 22 groups
(or something like that).
 
Hi Jonny:

Ah, in that case ...

Here is some code that would list all the users in the Administrators
group:

DirectoryEntry group =
new DirectoryEntry("WinNT://MACHINENAME/Administrators");
object members = group.Invoke("Members",null);
foreach( object member in (IEnumerable) members)
{
DirectoryEntry x = new DirectoryEntry(member);
Response.Write(x.Name);
Response.Write("<br>");
}

And a little code to list all the groups for a given user:

DirectoryEntry member = new DirectoryEntry("WinNT://MACHINE/USER");
object groups = member.Invoke("Groups", null);
foreach( object group in (IEnumerable) groups)
{
DirectoryEntry x = new DirectoryEntry(group);
Response.Write(x.Name);
Response.Write("<br>");
}


Hopefully that will help you out. Do you also need to validate the
password?

--s
 
I know on windows 2000 LogonUser requires some elevated permissions.

Are you on 2000 or XP / 2003?

Do you need the user token to do impersonation? Or just simply
validate the password?
 
Hi Scott,

I only need to validate the password, the method needs to be multi-OS, i.e. NT, 2K, XP and 2K3. It also needs to be pretty quick. I don't really have a problem if i have to different methods for each OS, its just preferable. The user running the App will more than likely be a Domain Administrator, if not they should not be running it in the first place.

Thanks again,
 
Hi Scott,

I only need to validate the password, the method needs to be multi-OS, i.e. NT, 2K, XP and 2K3. It also needs to be pretty quick. I don't really have a problem if i have to different methods for each OS, its just preferable. The user running the App will more than likely be a Domain Administrator, if not they should not be running it in the first place.

Thanks again,
 
Hi Scott,

I only need to validate the password, the method needs to be multi-OS, i.e. NT, 2K, XP and 2K3. It also needs to be pretty quick. I don't really have a problem if i have to different methods for each OS, its just preferable. The user running the App will more than likely be a Domain Administrator, if not they should not be running it in the first place.

Thanks again,
 
Jonny:

I dug around a little bit but I can't come up with any links on the
topic of LogonUser performance :/

--s
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top