Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- How to check if user with [UserName] and [Password] is domain administrator of [DomainName] without impersonation?
- using (Impersonation im = new Impersonation(UserName, Domain, Password))
- {
- System.Security.Principal.WindowsIdentity identity = System.Security.Principal.WindowsIdentity.GetCurrent();
- bool isDomainAdmin = identity.IsDomainAdmin(Domain, UserName, Password);
- if (!isDomainAdmin)
- {
- //deny access, for example
- }
- }
- public static bool IsDomainAdmin(this WindowsIdentity identity, string domain, string userName, string password)
- {
- Domain d = Domain.GetDomain(new DirectoryContext(DirectoryContextType.Domain, domain, userName, password));
- using (DirectoryEntry de = d.GetDirectoryEntry())
- {
- byte[] domainSIdArray = (byte[])de.Properties["objectSid"].Value;
- SecurityIdentifier domainSId = new SecurityIdentifier(domainSIdArray, 0);
- SecurityIdentifier domainAdminsSId = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, domainSId);
- WindowsPrincipal wp = new WindowsPrincipal(identity);
- return wp.IsInRole(domainAdminsSId);
- }
- }
- static void Main(string[] args) {
- string userDomain = "somedomain";
- string userName = "username";
- string password = "apassword";
- if (IsDomainAdmin(userDomain, userName)) {
- string fullUserName = userDomain + @"" + userName;
- PrincipalContext context = new PrincipalContext(
- ContextType.Domain, userDomain);
- if (context.ValidateCredentials(fullUserName, password)) {
- Console.WriteLine("Success!");
- }
- }
- }
- public static bool IsDomainAdmin(string domain, string userName) {
- string adminDn = GetAdminDn(domain);
- SearchResult result = (new DirectorySearcher(
- new DirectoryEntry("LDAP://" + domain),
- "(&(objectCategory=user)(samAccountName=" + userName + "))",
- new[] { "memberOf" })).FindOne();
- return result.Properties["memberOf"].Contains(adminDn);
- }
- public static string GetAdminDn(string domain) {
- return (string)(new DirectorySearcher(
- new DirectoryEntry("LDAP://" + domain),
- "(&(objectCategory=group)(cn=Domain Admins))")
- .FindOne().Properties["distinguishedname"][0]);
- }
- static string BuildOctetString(SecurityIdentifier sid)
- {
- byte[] items = new byte[sid.BinaryLength];
- sid.GetBinaryForm(items, 0);
- StringBuilder sb = new StringBuilder();
- foreach (byte b in items)
- {
- sb.Append(b.ToString("X2"));
- }
- return sb.ToString();
- }
- public static bool IsDomainAdmin(string domain, string userName)
- {
- using (DirectoryEntry domainEntry = new DirectoryEntry(string.Format("LDAP://{0}", domain)))
- {
- byte[] domainSIdArray = (byte[])domainEntry.Properties["objectSid"].Value;
- SecurityIdentifier domainSId = new SecurityIdentifier(domainSIdArray, 0);
- SecurityIdentifier domainAdminsSId = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, domainSId);
- using (DirectoryEntry groupEntry = new DirectoryEntry(string.Format("LDAP://<SID={0}>", BuildOctetString(domainAdminsSId))))
- {
- string adminDn = groupEntry.Properties["distinguishedname"].Value as string;
- SearchResult result = (new DirectorySearcher(domainEntry, string.Format("(&(objectCategory=user)(samAccountName={0}))", userName), new[] { "memberOf" })).FindOne();
- return result.Properties["memberOf"].Contains(adminDn);
- }
- }
- }
Add Comment
Please, Sign In to add comment