我有一个用户帐户的 SID,并且我想要它所属组的 SID

发布于 2024-08-26 03:27:44 字数 441 浏览 6 评论 0原文

这必须从远程计算机获取。以下查询不适用于 SID,但适用于组和帐户名称。

"SELECT GroupComponent FROM Win32_GroupUser WHERE PartComponent = \"Win32_UserAccount.Domain='" + accountDomain + "',Name='" + accountName + "'\""

它返回的 Win32_Group 对象以字符串的形式出现,并且它们只有域和名称(即使 Win32_Group 有 SID 属性)。

我有一种沉闷的感觉,我必须:

  1. 通过查询 Win32_SID 将 SID 转换为帐户名;
  2. 执行上面的查询;
  3. 通过查询 Win32_Group 将每个结果组名称转换为 SID。

This has to be obtained from a remote machine. The following query works not for SIDs, but for group and account names.

"SELECT GroupComponent FROM Win32_GroupUser WHERE PartComponent = \"Win32_UserAccount.Domain='" + accountDomain + "',Name='" + accountName + "'\""

The Win32_Group objects it returns come in the forms of strings, and they only have domain and name (even though Win32_Group has a SID property).

I have this sinking feeling I'll have to:

  1. Turn the SID into an account name by querying Win32_SID;
  2. Perform the query above;
  3. Turn each of the resulting group names into SIDs by querying Win32_Group.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

彼岸花似海 2024-09-02 03:27:44

您可以使用 System.DirectoryServices.AccountManagement 命名空间课程?

using (var context = new PrincipalContext( ContextType.Domain ))
{
    using (var user = UserPrincipal.FindByIdentity( context, accountName ))
    {
        var groups = user.GetAuthorizationGroups();
        ...iterate through groups and find SIDs for each one
    }
}

它应该与 ContextType.Machine 一起使用,但您需要指定计算机名称并具有适当的权限。

using (var context = new PrincipalContext( ContextType.Machine,
                                           "MyComputer",
                                           userid,
                                           password ))
{
   ...
}

有一篇不错的 MSDN 文章(虽然有点长)介绍如何使用新的.NET 3.5 帐户管理命名空间。

Can you use the System.DirectoryServices.AccountManagement namespace classes?

using (var context = new PrincipalContext( ContextType.Domain ))
{
    using (var user = UserPrincipal.FindByIdentity( context, accountName ))
    {
        var groups = user.GetAuthorizationGroups();
        ...iterate through groups and find SIDs for each one
    }
}

It should work with ContextType.Machine, though you'd need to specify the machine name and have appropriate privileges.

using (var context = new PrincipalContext( ContextType.Machine,
                                           "MyComputer",
                                           userid,
                                           password ))
{
   ...
}

There's a nice MSDN article (longish, though) on using the new .NET 3.5 account management namespace.

(り薆情海 2024-09-02 03:27:44

是的,但有些方法依赖于拥有域。

  1. 请参阅此页面了解如何转换 SID
    使用 P/Invoke 和 Windows API 或使用 .NET 2.0+ 但不使用 P/Invoke 的用户 ID。

    使用 System.Security.Principal;

    //将用户sid转换为域名\名称
    string account = new SecurityIdentifier(stringSid).Translate(typeof(NTAccount)).ToString();

  2. 如果您有 AD 并且
    那里的用户 ID 然后使用 DirectorySearcher
    方法
    或帐户管理 API 来查找组。
    否则使用中概述的方法
    这篇文章获取本地信息
    组。

  3. 现在使用 @tvanfosson 建议的 API 来迭代组并获取 SID。或者按照以下信息操作。

在 ASP.NET 应用程序中,如果用户通过 Windows 而不是 Forms 身份验证进行身份验证,则可以使用这样的代码来访问组信息。在此示例中,我留下了关于在该环境中引发的异常的有趣注释,但它可能适用于其他用户:

public List<string> GetGroupsFromLogonUserIdentity()
{
    List<string> groups = new List<string>();
    HttpRequest request = HttpContext.Current.Request;

    if (request.LogonUserIdentity.Groups != null)
    {
        foreach (IdentityReference group in request.LogonUserIdentity.Groups)
        {
            try
            {
                groups.Add(group.Translate(typeof(NTAccount)).ToString());
            }
            catch (IdentityNotMappedException)
            {
                // Swallow these exceptions without throwing an error. They are
                // the result of dead objects in AD which are associated with
                // user accounts. In this application users may have a group
                // name associated with their AD profile which cannot be
                // resolved in the Active Directory.
            }
        }
    }

    return groups;
}

LogonUserIdentity 基于 WindowsIdentity 类。您可以修改我的代码示例以在非 Web 应用程序中使用 WindowsIdentity 和函数。一旦你迭代一个组,你应该能够执行类似的操作来获取 SecurityIdentifier:

SecurityIdentifier secid = group as SecurityIdentifier;

Yes there is but some methods depend on having a domain.

  1. See this page for how to convert a SID
    to a user id using P/Invoke and the Windows API, or with .NET 2.0+ and no P/Invoke.

    using System.Security.Principal;

    // convert the user sid to a domain\name
    string account = new SecurityIdentifier(stringSid).Translate(typeof(NTAccount)).ToString();

  2. If you have AD and
    the user id in there then use the DirectorySearcher
    method
    or Account Management APIs to find the groups.
    Otherwise use the method outlined in
    this article to get local
    groups.

  3. Now use the API suggested by @tvanfosson to iterate the groups and get the SIDs. Or follow the info below.

In an ASP.NET application it is possible to use code like this to access group info provided a user is authenticated by Windows and not Forms authentication. In this example I've left an interesting note about exceptions that are thrown in that environment but it may apply to other users:

public List<string> GetGroupsFromLogonUserIdentity()
{
    List<string> groups = new List<string>();
    HttpRequest request = HttpContext.Current.Request;

    if (request.LogonUserIdentity.Groups != null)
    {
        foreach (IdentityReference group in request.LogonUserIdentity.Groups)
        {
            try
            {
                groups.Add(group.Translate(typeof(NTAccount)).ToString());
            }
            catch (IdentityNotMappedException)
            {
                // Swallow these exceptions without throwing an error. They are
                // the result of dead objects in AD which are associated with
                // user accounts. In this application users may have a group
                // name associated with their AD profile which cannot be
                // resolved in the Active Directory.
            }
        }
    }

    return groups;
}

LogonUserIdentity is based on the WindowsIdentity class. You could modify my code sample to use WindowsIdentity and function in a non-Web application. Once you iterate over a group you should be able to do something like this to get the SecurityIdentifier:

SecurityIdentifier secid = group as SecurityIdentifier;
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文