问题描述

我的问题

我使用PInvoked Windows API函数来验证用户是否是本地管理员组的一部分。我使用 GetCurrentProcess ， OpenProcessToken ， GetTokenInformation 和执行LookupAccountSid ，以验证用户是否是本地管理员。

I'm using PInvoked Windows API functions to verify if a user is part of the local administrators group. I'm utilizing GetCurrentProcess, OpenProcessToken, GetTokenInformationand LookupAccountSid to verify if the user is a local admin.

GetTokenInformation 返回 TOKEN_GROUPS 结构与数组 SID_AND_ATTRIBUTES 结构。我遍历集合，并通过比较执行LookupAccountSid 返回的用户名。

GetTokenInformation returns a TOKEN_GROUPS struct with an array of SID_AND_ATTRIBUTES structs. I iterate over the collection and compare the user names returned by LookupAccountSid.

我的问题是，在本地（或更一般的公司内部的域），此按预期工作。内建\管理员所在的当前进程令牌的组成员中，我的方法返回true。在另一个开发另一个域函数返回false。

My problem is that, locally (or more generally on our in-house domain), this works as expected. The builtin\Administrators is located within the group membership of the current process token and my method returns true. On another domain of another developer the function returns false.

在执行LookupAccountSid 功能正常进行第2次迭代的 TOKEN_GROUPS 结构中，返回None和所有人，然后胡扯出来抱怨一个参数不正确。

The LookupAccountSid functions properly for the first 2 iterations of the TOKEN_GROUPS struct, returning None and Everyone, and then craps out complaining that "A Parameter is incorrect."

什么会导致只有两类工作是否正确？

在 TOKEN_GROUPS 结构表明，有14组。我假设它的SID是无效的。

The TOKEN_GROUPS struct indicates that there are 14 groups. I'm assuming it's the SID that is invalid.

这是我所PInvoked我已经从上的PInvoke 网站为例一切。唯一的区别是，与执行LookupAccountSid 我从字节[改希德参数] 到的IntPtr ，因为 SID_AND_ATTRIBUTES 也定义与 IntPtr的。是因为执行LookupAccountSid 中定义了一个PSID可以吗？

Everything that I have PInvoked I have taken from an example on the PInvoke website. The only difference is that with the LookupAccountSid I have changed the Sid parameter from a byte[] to a IntPtr because SID_AND_ATTRIBUTESis also defined with an IntPtr. Is this ok since LookupAccountSid is defined with a PSID?

执行LookupAccountSid的PInvoke

    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    static extern bool LookupAccountSid(
        string lpSystemName,
        IntPtr Sid,
        StringBuilder lpName,
        ref uint cchName,
        StringBuilder ReferencedDomainName,
        ref uint cchReferencedDomainName,
        out SID_NAME_USE peUse);

凡code翻倒

                for (int i = 0; i < usize; i++)
                {
                    accountCount = 0;
                    domainCount = 0;
                    //Get Sizes
                    LookupAccountSid(null, tokenGroups.Groups[i].SID, null, ref accountCount, null,
                                     ref domainCount, out snu);

                    accountName2.EnsureCapacity((int) accountCount);
                    domainName.EnsureCapacity((int) domainCount);

                    if (!LookupAccountSid(null, tokenGroups.Groups[i].SID, accountName2, ref accountCount, domainName,
                                     ref domainCount, out snu))
                    {
                        //Finds its way here after 2 iterations
                        //But only in a different developers domain
                        var error = Marshal.GetLastWin32Error();

                        _log.InfoFormat("Failed to look up SID's account name. {0}", new Win32Exception(error).Message);
                        continue;
                    }

如果多个code是必要的，让我知道。任何帮助将大大AP preciated。

If more code is needed let me know. Any help would be greatly appreciated.

推荐答案

这听起来像你想复制的的。您也可以使用 NetUserGetInfo 为1的信息化水平，并检查 usri1_priv 中的为 USER_PRIV_ADMIN 。

It sounds like you're trying to duplicate the functionality of NetUserGetLocalGroups. You can also use NetUserGetInfo with an information level of 1, and check the value of usri1_priv in the USER_INFO_1 for USER_PRIV_ADMIN.