如何获取与Windows用户匹配的所有安全标识符(SID)?

发布于 2024-10-19 19:28:03 字数 704 浏览 7 评论 0原文

使用.NET,我想以编程方式获取 Windows 用户所属的所有组的列表以及代表登录用户的所有其他 SID(安全标识符)。结果列表应包含:

  1. 用户本人。
  2. 他是其直接成员的组
  3. 他是间接用户的嵌套组
  4. WellKnownSidType 匹配。例如:
    • 每个人
    • NT AUTHORITY\经过身份验证的用户
    • ...

第一项很简单,我已经可以使用 System.DirectoryServices 和属性 tokenGroups 检索点 2 和 3在代表我的用户的 DirectoryEntry 上,如 此示例

有人可以找到一种(简单的)方法来做到这一点

Using .NET, I would like to programmatically get a list of all the groups for which a Windows user is a member as well as all other SID (Security identifiers) that represent a logged in user. The resulting list should contain:

  1. The user himself.
  2. The groups for which he is a direct member
  3. The nested groups for which he is an indirect user
  4. The WellKnownSidTypes that match. For example:
    • Everyone
    • NT AUTHORITY\Authenticated Users
    • ...

The first item is trivial and I can already retrieve points 2 and 3 by using System.DirectoryServices and the attribute tokenGroups on the DirectoryEntry representing my user like this example.

Can somebody find an (easy) way to do this

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

通知家属抬走 2024-10-26 19:28:03

如果您想要一种简单的方法,我会说 UserPrincipal .GetAuthorizationGroups 非常简单。唯一的问题是,您只能在 .NET 3.5 或更高版本中找到它。

using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "yourdomain.com"))
{
    using (UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, "YourUser"))
    {
        foreach (Principal p in user.GetAuthorizationGroups())
        {
             Console.WriteLine(p.Name);
        }
    }
 }

GetAuthorizationGroups 返回所有嵌套组,包括众所周知的 SID。它尝试不同的方式来检索嵌套组信息。事实上,它使用的方法之一是使用 DirectoryEntry 访问 tokenGroups 属性。

UPDATE

要检查当前用户是在 NT AUTHORITY\INTERACTIVE 还是 LOCAL 中,我们可以使用 WindowsIdentity.Groups ,它直接检索当前的登录令牌。请注意,NT AUTHORITY\INTERACTIVELOCAL 的成员身份是在运行时确定的。根据您现在登录该系统的事实,将用户分配到这些组。同样,在我的 Windows 7 上,我可以看到我当前的登录用户也是 NT AUTHORITY\REMOTE INTERACTIVE LOGON 的成员,因为我是通过远程桌面登录的。

 WindowsIdentity id = WindowsIdentity.GetCurrent();
 foreach (var group in id.Groups)
 {
     Console.WriteLine(((NTAccount)group.Translate(typeof(NTAccount))).Value);
 }

很抱歉,我不知道如何为任何任意用户获取NT AUTHORITY\INTERACTIVE成员资格。我怀疑没有这样的方法,因为这种类型的组成员身份仅在该用户真正登录时才在运行时确定。

If you want an easy way, I would say UserPrincipal.GetAuthorizationGroups is really easy. The only thing is that you can find it only in .NET 3.5 or later.

using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "yourdomain.com"))
{
    using (UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, "YourUser"))
    {
        foreach (Principal p in user.GetAuthorizationGroups())
        {
             Console.WriteLine(p.Name);
        }
    }
 }

GetAuthorizationGroups returns you all the nested groups, including the Well known SID. It tries different ways of retrieving the nested group information. Indeed, one of the approaches it used is to use DirectoryEntry to access tokenGroups attribute.

UPDATE

To check whether the current user is in NT AUTHORITY\INTERACTIVE or LOCAL, we can use WindowsIdentity.Groups, which retrieves the current logon token directly. Note that the membership of NT AUTHORITY\INTERACTIVE and LOCAL are determined at runtime. The user is assigned to these groups based on the fact that you are logging onto that system now. Similarly, on my Windows 7, I can see my current logon user is also a member of NT AUTHORITY\REMOTE INTERACTIVE LOGON because I was logging on via remote desktop.

 WindowsIdentity id = WindowsIdentity.GetCurrent();
 foreach (var group in id.Groups)
 {
     Console.WriteLine(((NTAccount)group.Translate(typeof(NTAccount))).Value);
 }

I am sorry that I don't know any way to get the NT AUTHORITY\INTERACTIVE membership for any arbitrary users. I suspect there is no such way because this type of group membership is determined at the runtime only when that user is really logging on.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文