c# - 如何确定 Windows 标识对应的是本地用户还是域用户？

Question

我有一个 WindowsIdentity，它对应于一个经过身份验证的用户。如何确定身份对应的是机器上的本地用户、已添加到机器的域用户还是未添加到机器的域？

假设我有 3 个用户帐户:

• DomainUser(域用户组的成员，未添加到任何本地组)
• LocalUser(在机器上创建的本地用户)
• MappedDomainUser(已添加到机器上的组的域用户)

如何区分

• 域用户和本地用户
• 本地用户和映射域用户
• 域用户和映射域用户

截至目前，我依赖于用户名并检查它是否以机器名开头。然后我通过检查用户所属的组(如果它是所有域用户的一部分)来进一步区分。我确定这不是最好的方式。

因为我有来自 WindowsIdentity.User 属性的用户 sid，我能以某种方式使用它吗？

Answer 1

不确定映射域管理员。 我只是检查用户登录的域的本地和域管理员。 不要访问“builtin\Admin”之类的字符串，它们因操作系统语言版本而异。

我喜欢使用 .net 4.5 Principals 方法。 如果你可以使用 4.5，你可以做类似的事情

所以关于这个问题 我怎样才能区分

• 域用户和本地用户
• 本地用户和映射域用户
• 域用户和映射域用户

示例代码

using System;
using System.DirectoryServices.ActiveDirectory;
using System.Security.Principal
namespace xxxxx
  {
  public class UserEnvTools
     {

    public static bool IsDomainAdmin()
    {   //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
        if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
            return false;
        var domainAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid,
                                                  WindowsIdentity.GetCurrent().User.AccountDomainSid);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(domainAdmins));
    }
    public static bool IsDomainUser()
    {
        //returns TRUE for a machine that is on a workgroup So consider GetDomain methods based on scenario 
        if (WindowsIdentity.GetCurrent().User.AccountDomainSid == null)
            return false;

        var domainUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid,
                                                WindowsIdentity.GetCurrent().User.AccountDomainSid);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(domainUsers));
    }

public static bool IsLocalAdmin()
{
var localAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
return prin != null && (prin.IsInRole(localAdmins));
}
    public static bool IsLocalUser()
    {
        var localUsers = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
        var prin = new WindowsPrincipal(WindowsIdentity.GetCurrent());
        return prin != null && (prin.IsInRole(localUsers));

    }
    // Current security context applies  
    public static Domain GetCurrentUserDomain()
    {
        try
        {
            return System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
        }
        // It may be better not to ctach such errors?
        catch (ActiveDirectoryOperationException) // no Controller/AD Forest can not be contacted
        {return null;}
        catch (ActiveDirectoryObjectNotFoundException) // The USers Domain is not known to the controller
        {return null;}
    }

    public static Domain GetCurrentMachineDomain()
    {
        try
        {
            return System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain();
        }
        // It may be better not to ctach such errors?
        catch (ActiveDirectoryOperationException) // no controller or machine is not on a domain
        { return null; }
        catch (ActiveDirectoryObjectNotFoundException) // controller found, but the machine is not known
        { return null; }
    }