如何确定Windows标识是对应于本地用户还是域用户？

Question

我有一个WindowsIdentity,它对应于经过身份验证的用户.如何确定标识是否与计算机上的本地用户,已添加到计算机的域用户或未添加到计算机的域相对应？

让我们说我有3个用户帐户:

• DomainUser(域用户组的成员,未添加到任何本地组)
• LocalUser(在机器上创建的本地用户)
• MappedDomainUser(已添加到计算机上的组的域用户)

我该如何区分

• DomainUser和LocalUsers
• LocalUser和MappedDomainUser
• DomainUser和MappedDomainUser

截至目前,我依赖于用户名并检查它是否以机器名称开头.然后,我通过检查用户所属的组(如果它是所有域用户的一部分)进一步区分.不是我确定的最好的方式.

因为我有来自WindowsIdentity.User属性的用户sid,我可以以某种方式使用它吗？

Answer 1

不确定映射域管理员.我只检查用户登录的域的本地和域管理员.不要访问像"builtin\Admin"这样的字符串,它们根据操作系统语言版本而有所不同.

我喜欢使用.net 4.5 Principals方法.如果可以使用4.5,你可以做类似的事情

所以关于问题如何区分

• DomainUser和LocalUsers
• LocalUser和MappedDomainUser
• DomainUser和MappedDomainUser

示例代码

using System;
using System.DirectoryServices.ActiveDirectory;
using System.Security.Principal
namespace xxxxx
  {
  public class UserEnvTools
     {

    public static bool IsDomainAdmin()
    {   //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
        if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
            return false;
        var domainAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid,
                                                  WindowsIdentity.GetCurrent().User.AccountDomainSid);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(domainAdmins));
    }
    public static bool IsDomainUser()
    {
        //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
        if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
            return false;

        var domainUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid,
                                                WindowsIdentity.GetCurrent().User.AccountDomainSid);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(domainUsers));
    }

public static bool IsLocalAdmin()
{
var localAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
return prin != null && (prin.IsInRole(localAdmins));
}
    public static bool IsLocalUser()
    {
        var localUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(localUsers));

    }
    // Current security context applies  
    public static Domain GetCurrentUserDomain()
    {
        try
        {
            return System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
        }
        // It may be better not to ctach such errors?
        catch (ActiveDirectoryOperationException) // no Controller/AD Forest can not be contacted
        {return null;}
        catch (ActiveDirectoryObjectNotFoundException) // The USers Domain is not known to the controller
        {return null;}
    }

    public static Domain GetCurrentMachineDomain()
    {
        try
        {
            return System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain();
        }
        // It may be better not to ctach such errors?
        catch (ActiveDirectoryOperationException) // no controller or machine is not on a domain
        { return null; }
        catch (ActiveDirectoryObjectNotFoundException) // controller found, but the machine is not known
        { return null; }
    }