470,561 Members | 2,307 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,561 developers. It's quick & easy.

Checking to see if a user is a domain Administrator

Hey all,

I need to verify that a provided username is a Domain Administrator. Any idea's on how to do this?

Thanks,

Jonny
--
/Jonny
Nov 16 '05 #1
9 6779
I'd look up WindowsIdentity and WindowsPrincipal.IsInRole() in MSDN,
seems like the answer

Jonny wrote:
Hey all,

I need to verify that a provided username is a Domain Administrator. Any idea's on how to do this?

Thanks,

Jonny

Nov 16 '05 #2
Although the following KB article is primarily targeted at forms
authentication in ASP.NET, it does demonstrate how to validate a
username and password against active directory and then find the
groups the user is a member of.

How to authenticate against the Active Directory by using Forms
authentication and Visual C# .NET
http://support.microsoft.com/default...b;en-us;316748

--
Scott
http://www.OdeToCode.com

On Mon, 12 Jul 2004 04:42:05 -0700, "Jonny"
<Jo***@discussions.microsoft.com> wrote:
Hey all,

I need to verify that a provided username is a Domain Administrator. Any idea's on how to do this?

Thanks,

Jonny


Nov 16 '05 #3
Jonny wrote:
Hey all,

I need to verify that a provided username is a Domain Administrator. Any idea's on how to do this?

Look at the sample code for WindowsIdentity.Impersonate(). That shows
how to get an WindowsIdentity using a username/password.

then take that Identity and create a WindowsPrincipal and call the
IsInRole() method:

bool isDomAdmin = new WindowsPrincipal(
WindowsIdentity.GetCurrent()).IsInRole(@"DOMAINNAM E\Domain Admins")

There are several caveats with this:

- it requires unsafe code
- it won't work on Win9x
- it won't work in Win NT or Win 2000 unless the user context that
it's running under has the TCB privilege (LogonUser() needs that
privilege on those OS's to work)
- there is a bug with IsInROle( string) where the match on the role
name might be case-sensitive if the user belongs to more than 22 groups
(or something like that).
--
mikeb
Nov 16 '05 #4
Hi Jonny:

Ah, in that case ...

Here is some code that would list all the users in the Administrators
group:

DirectoryEntry group =
new DirectoryEntry("WinNT://MACHINENAME/Administrators");
object members = group.Invoke("Members",null);
foreach( object member in (IEnumerable) members)
{
DirectoryEntry x = new DirectoryEntry(member);
Response.Write(x.Name);
Response.Write("<br>");
}

And a little code to list all the groups for a given user:

DirectoryEntry member = new DirectoryEntry("WinNT://MACHINE/USER");
object groups = member.Invoke("Groups", null);
foreach( object group in (IEnumerable) groups)
{
DirectoryEntry x = new DirectoryEntry(group);
Response.Write(x.Name);
Response.Write("<br>");
}
Hopefully that will help you out. Do you also need to validate the
password?

--s

On Mon, 12 Jul 2004 08:44:02 -0700, "Jonny"
<Jo***@discussions.microsoft.com> wrote:
You don't happen to kno whow to do it in a non-AD Domain?

Thanks :)


--
Scott
http://www.OdeToCode.com
Nov 16 '05 #5
I know on windows 2000 LogonUser requires some elevated permissions.

Are you on 2000 or XP / 2003?

Do you need the user token to do impersonation? Or just simply
validate the password?
--
Scott
http://www.OdeToCode.com

On Tue, 13 Jul 2004 09:11:04 -0700, "Jonny"
<Jo***@discussions.microsoft.com> wrote:
Actually, could you tell me your method. It would appear calling the advapi32.dll",EntryPoint = "LogonUser" is not reliable, or particularly fast.

Thanks !


Nov 16 '05 #6
Hi Scott,

I only need to validate the password, the method needs to be multi-OS, i.e. NT, 2K, XP and 2K3. It also needs to be pretty quick. I don't really have a problem if i have to different methods for each OS, its just preferable. The user running the App will more than likely be a Domain Administrator, if not they should not be running it in the first place.

Thanks again,

--
/Jonny
"Scott Allen" wrote:
I know on windows 2000 LogonUser requires some elevated permissions.

Are you on 2000 or XP / 2003?

Do you need the user token to do impersonation? Or just simply
validate the password?
--
Scott
http://www.OdeToCode.com

On Tue, 13 Jul 2004 09:11:04 -0700, "Jonny"
<Jo***@discussions.microsoft.com> wrote:
Actually, could you tell me your method. It would appear calling the advapi32.dll",EntryPoint = "LogonUser" is not reliable, or particularly fast.

Thanks !


Nov 16 '05 #7
Hi Scott,

I only need to validate the password, the method needs to be multi-OS, i.e. NT, 2K, XP and 2K3. It also needs to be pretty quick. I don't really have a problem if i have to different methods for each OS, its just preferable. The user running the App will more than likely be a Domain Administrator, if not they should not be running it in the first place.

Thanks again,

--
/Jonny
"Scott Allen" wrote:
I know on windows 2000 LogonUser requires some elevated permissions.

Are you on 2000 or XP / 2003?

Do you need the user token to do impersonation? Or just simply
validate the password?
--
Scott
http://www.OdeToCode.com

On Tue, 13 Jul 2004 09:11:04 -0700, "Jonny"
<Jo***@discussions.microsoft.com> wrote:
Actually, could you tell me your method. It would appear calling the advapi32.dll",EntryPoint = "LogonUser" is not reliable, or particularly fast.

Thanks !


Nov 16 '05 #8
Hi Scott,

I only need to validate the password, the method needs to be multi-OS, i.e. NT, 2K, XP and 2K3. It also needs to be pretty quick. I don't really have a problem if i have to different methods for each OS, its just preferable. The user running the App will more than likely be a Domain Administrator, if not they should not be running it in the first place.

Thanks again,

--
/Jonny
"Scott Allen" wrote:
I know on windows 2000 LogonUser requires some elevated permissions.

Are you on 2000 or XP / 2003?

Do you need the user token to do impersonation? Or just simply
validate the password?
--
Scott
http://www.OdeToCode.com

On Tue, 13 Jul 2004 09:11:04 -0700, "Jonny"
<Jo***@discussions.microsoft.com> wrote:
Actually, could you tell me your method. It would appear calling the advapi32.dll",EntryPoint = "LogonUser" is not reliable, or particularly fast.

Thanks !


Nov 16 '05 #9
Jonny:

I dug around a little bit but I can't come up with any links on the
topic of LogonUser performance :/

--s

On Wed, 14 Jul 2004 01:15:01 -0700, "Jonny"
<Jo***@discussions.microsoft.com> wrote:
Hi Scott,

I only need to validate the password, the method needs to be multi-OS, i.e. NT, 2K, XP and 2K3. It also needs to be pretty quick. I don't really have a problem if i have to different methods for each OS, its just preferable. The user running the App will more than likely be a Domain Administrator, if not they should not be running it in the first place.

Thanks again,


--
Scott
http://www.OdeToCode.com
Nov 16 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by SiPearson | last post: by
5 posts views Thread by Jack Russell | last post: by
2 posts views Thread by noor | last post: by
1 post views Thread by noor | last post: by
4 posts views Thread by Michael | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.