您的位置: 首页  >  技术问答  >  真实用户和系统用户帐户之间的差异

真实用户和系统用户帐户之间的差异

分类: 技术问答 2022-06-09 14:31:14
问题描述:

当我获得计算机或Active Directory域的UserPrincipal/DirectoryEntry记录时,是否有办法区分系统帐户和真实用户?真实用户和系统用户帐户之间的差异

例如,jsmith是一个真正的用户,而ASPNET或IUSR_machine则不是。但依靠硬编码的已知名称似乎不是过滤系统用户的最佳方式,因为还可以有其他帐户。有没有更好的办法?

例如,也许有“可交互方式登录”的标志,或者,通过检查检测密码设置等

尝试的Win32 LookupAccountName和方法执行LookupAccountSid。当函数返回时,最后一个参数(称为accountType)填充了帐户的类型。

[SecurityPermission(SecurityAction.Demand, UnmanagedCode = true)] 
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)] 
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] 
[return: MarshalAs(UnmanagedType.Bool)] 
public static extern bool LookupAccountSid(
     [In] string systemName, 
     [In, MarshalAs(UnmanagedType.LPArray)] byte[] sid, 
     [Out] StringBuilder name, 
     [In, Out] ref uint nameLength, 
     [Out] StringBuilder referencedDomainName, 
     [In, Out] ref uint referencedDomainNameLength, 
     [Out] out AccountType accountType); 

[SecurityPermission(SecurityAction.Demand, UnmanagedCode = true)] 
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)] 
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] 
[return: MarshalAs(UnmanagedType.Bool)] 
public static extern bool LookupAccountName(
     [In] string systemName, 
     [In] string accountName, 
     [Out, MarshalAs(UnmanagedType.LPArray)] byte[] sid, 
     [In, Out] ref uint sidSize, 
     [Out] StringBuilder referencedDomainName, 
     [In, Out] ref uint referencedDomainNameLength, 
     [Out] out AccountType accountType); 


/// <summary> 
/// Defines the various account types of a Windows accunt 
/// </summary> 
public enum AccountType 
{ 
    /// <summary> 
    /// No account type 
    /// </summary> 
    None = 0, 
    /// <summary> 
    /// The account is a user 
    /// </summary> 
    User, 
    /// <summary> 
    /// The account is a security group 
    /// </summary> 
    Group, 
    /// <summary> 
    /// The account defines a domain 
    /// </summary> 
    Domain, 
    /// <summary> 
    /// The account is an alias 
    /// </summary> 
    Alias, 
    /// <summary> 
    /// The account is a well-known group, such as BUILTIN\Administrators 
    /// </summary> 
    WellknownGroup, 
    /// <summary> 
    /// The account was deleted 
    /// </summary> 
    DeletedAccount, 
    /// <summary> 
    /// The account is invalid 
    /// </summary> 
    Invalid, 
    /// <summary> 
    /// The type of the account is unknown 
    /// </summary> 
    Unknown, 
    /// <summary> 
    /// The account is a computer account 
    /// </summary> 
    Computer, 
    Label 
}
+0

对于真实用户和系统用户,返回的AccountType是否不相同 - 即AccountType.User是否会被返回? –

+0

它会为内置管理员组返回类似“别名”的内容。但我想你是正确的ASPNET用户或IUSR_machine ...交互式登录特权*可能*是一个线索,然后.. –

对于所有意图和目的,您列出的样本帐户在功能上与您为指定人创建的用户帐户相同。

尝试使用"samaccountname" property消除不适合用户或组的帐户。

相关推荐