我可以通过以下代码行检查用户是否是域管理员:
using (DirectoryEntry domainEntry = new DirectoryEntry(string.Format("LDAP://{0}", domain)))
{
byte[] domainSIdArray = (byte[])domainEntry.Properties["objectSid"].Value;
SecurityIdentifier domainSId = new SecurityIdentifier(domainSIdArray, 0);
SecurityIdentifier domainAdminsSId = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, domainSId);
using (DirectoryEntry groupEntry = new DirectoryEntry(string.Format("LDAP://<SID={0}>", BuildOctetString(domainAdminsSId))))
{
string adminDn = groupEntry.Properties["distinguishedname"].Value as string;
SearchResult result = (new DirectorySearcher(domainEntry, string.Format("(&(objectCategory=user)(samAccountName={0}))", userName), new[] { "memberOf" })).FindOne();
return result.Properties["memberOf"].Contains(adminDn);
}
}
更多细节here
但是当域控制器关闭或其脱机(没有任何连接)时,我收到以下错误:
服务器无法运行 . 在System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)的System.DirectoryServices.DirectoryEntry.Bind()处于System.DirectoryServices.DirectoryEntry.get_AdsObject()处于System.DirectoryServices.PropertyValueCollection.PopulateList()的System.DirectoryServices.PropertyValueCollection .. System.DirectoryServices.PropertyCollection.get_Item(String propertyName)中的ctor(DirectoryEntry条目,String propertyName)
是否能够检查用户是否是关闭域控制器的域管理员?
1 回答
您可以在不联系域控制器的情况下检查当前用户是否为域管理员 .
如果您的要求是检查arbirary用户是否是域管理员,我认为您不能在没有域控制器的情况下执行此操作 .
确实,Windows会为登录的断开连接缓存登录凭据 . 缓存在
HKEY_LOCAL_MACHINE\SECURITY\Cache中存储和加密 . 按照设计,缓存只能由LSA解密 . 如果您找到其他方法来解密或查询信息而不通过LSA,那么's a security hole that Microsoft will probably fix it right away. So, the only hope that you have is somehow LSA exposes an API to query the group informations stored in credentials cache. As far as I know, I don' t会看到这样的API存在 . 有关记录的LSA API,请参阅here .