真实用户和系统用户帐户之间的差异
问题描述:
当我获得计算机或Active Directory域的UserPrincipal/DirectoryEntry记录时,是否有办法区分系统帐户和真实用户?真实用户和系统用户帐户之间的差异
例如,jsmith是一个真正的用户,而ASPNET或IUSR_machine则不是。但依靠硬编码的已知名称似乎不是过滤系统用户的最佳方式,因为还可以有其他帐户。有没有更好的办法?
例如,也许有“可交互方式登录”的标志,或者,通过检查检测密码设置等
答
尝试的Win32 LookupAccountName和方法执行LookupAccountSid。当函数返回时,最后一个参数(称为accountType)填充了帐户的类型。
[SecurityPermission(SecurityAction.Demand, UnmanagedCode = true)]
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool LookupAccountSid(
[In] string systemName,
[In, MarshalAs(UnmanagedType.LPArray)] byte[] sid,
[Out] StringBuilder name,
[In, Out] ref uint nameLength,
[Out] StringBuilder referencedDomainName,
[In, Out] ref uint referencedDomainNameLength,
[Out] out AccountType accountType);
[SecurityPermission(SecurityAction.Demand, UnmanagedCode = true)]
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool LookupAccountName(
[In] string systemName,
[In] string accountName,
[Out, MarshalAs(UnmanagedType.LPArray)] byte[] sid,
[In, Out] ref uint sidSize,
[Out] StringBuilder referencedDomainName,
[In, Out] ref uint referencedDomainNameLength,
[Out] out AccountType accountType);
/// <summary>
/// Defines the various account types of a Windows accunt
/// </summary>
public enum AccountType
{
/// <summary>
/// No account type
/// </summary>
None = 0,
/// <summary>
/// The account is a user
/// </summary>
User,
/// <summary>
/// The account is a security group
/// </summary>
Group,
/// <summary>
/// The account defines a domain
/// </summary>
Domain,
/// <summary>
/// The account is an alias
/// </summary>
Alias,
/// <summary>
/// The account is a well-known group, such as BUILTIN\Administrators
/// </summary>
WellknownGroup,
/// <summary>
/// The account was deleted
/// </summary>
DeletedAccount,
/// <summary>
/// The account is invalid
/// </summary>
Invalid,
/// <summary>
/// The type of the account is unknown
/// </summary>
Unknown,
/// <summary>
/// The account is a computer account
/// </summary>
Computer,
Label
}
答
对于所有意图和目的,您列出的样本帐户在功能上与您为指定人创建的用户帐户相同。
对于真实用户和系统用户,返回的AccountType是否不相同 - 即AccountType.User是否会被返回? –
它会为内置管理员组返回类似“别名”的内容。但我想你是正确的ASPNET用户或IUSR_machine ...交互式登录特权*可能*是一个线索,然后.. –