•  16-03-2022
  •  | 
  •  

Question

I have a unique quandary.

I'm developing a class that will test the Users Account Permission, I've covered most basis. But the one I'm mostly concerned with is testing against Null or a SID.

The reason I'm concerned is:

if(user != null)
{
   role.IsInRole(WindowsBuiltInRole.Administrator);
}

Obviously a simple implementation to demonstrate, but will the WindowsBuiltInRole check strictly based on the individual machine or against the Domain? If the users Domain account is indeed Administrator, will it successfully test?

Or would the better way to test against the five or six Domain SID Tokens? Will other User Accounts such as the Network Service Account will it manipulate the same way? What would be the best way to ensure the authenticity of the token value.

Any input would be terrific.

Was it helpful?

Solution

The WindowsBuiltInRole enumeration corresponds exactly to Windows SIDs, and precisely to well-kwown SIDS associated with a Windows built-in group: Well-known security identifiers in Windows operating systems, all the SIDs starting with 'S-1-5-32-'.

The integer value of the enum value corresponds to the last number in the sid, so, because WindowsBuiltInRole.Administrator is 544, it corresponds to S-1-5-32-544. So what you're checking using this code is really if the user belongs to the Administrators group:

SID: S-1-5-32-544

Name: Administrators

Description: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.

OTHER TIPS

By definition of WindowsBuiltInRole Enumeration found at:

WindowsBuiltInRole Enumeration

The WindowsBuiltInRole.Administrator role indeed works for both computer and domain without restrictions.

The WindowsBuiltInRole.PowerUser will be able to run applications but cannot install or uninstall stuff.

The WindowsBuiltInRole.AccountAdministrator may manage accounts and even change rights, but not making domain-wide changes (as in distributed deployments).

The WindowsBuiltInRole.BackupOperator can override security restrictions for the sole purpose of backing up or restoring files.

The WindowsBuiltInRole.Replicator supports file replication in a domain.

These different roles may seem blurry, but it can be inferred that all but Administrator can do some Administrator tasks, but not all.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top