Can I check if AD user is Domain Admin when Domain Controller is turned off?
https://stackoverflow.com/questions/11981671
-
26-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I can check if user is Domain Administrator by the following lines of code:
using (DirectoryEntry domainEntry = new DirectoryEntry(string.Format("LDAP://{0}", domain)))
{
byte[] domainSIdArray = (byte[])domainEntry.Properties["objectSid"].Value;
SecurityIdentifier domainSId = new SecurityIdentifier(domainSIdArray, 0);
SecurityIdentifier domainAdminsSId = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, domainSId);
using (DirectoryEntry groupEntry = new DirectoryEntry(string.Format("LDAP://<SID={0}>", BuildOctetString(domainAdminsSId))))
{
string adminDn = groupEntry.Properties["distinguishedname"].Value as string;
SearchResult result = (new DirectorySearcher(domainEntry, string.Format("(&(objectCategory=user)(samAccountName={0}))", userName), new[] { "memberOf" })).FindOne();
return result.Properties["memberOf"].Contains(adminDn);
}
}
More details here
But when the Domain Controller is turned off, or its off-line (without any connections), I get the following error:
The server is not operational.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
Is there an ability to check if user is Domain Administrator with turned off Domain Controller?
La solution
You can check whether the current user is a Domain administrator without contacting the domain controller.
If your requirement is to check whether arbirary user is a Domain administrator, I don't think you can do it without domain controller.
It's true that Windows cache the login credentials for the disconnected login purpose. The cache is stored and encrypted in HKEY_LOCAL_MACHINE\SECURITY\Cache. By design, the cache can only be descrypted by LSA. If you find some other ways to decrypt or query the information without going through LSA, that's a security hole that Microsoft will probably fix it right away. So, the only hope that you have is somehow LSA exposes an API to query the group informations stored in credentials cache. As far as I know, I don't see such an API exists. See here for the documented LSA API.
