Is it possible to get the computer name for a person that is found through Active Directory?
I am currently getting the person via DirectorySearcher object, and from there can get the user's SID, but i don't know where to look next in order to find the actual computer name that is assigned to that SID or person?
Or maybe there is an easier way to get this information from Active Directory?
There is no association of computers to users in default AD - so there is no way to get such information.
You may find last/currently logged on set of machines for a user (also I don't think this is available in AD, see How to find what user last logged onto a given computer through Active Directory in C#? for some starting points) or maybe you add custom information that gives that association in AD (Retrieving custom Active Directory properties of users).
Related
I'm having this issue where I'm trying to check if NT\Authority Local Service has read\execute permissions on a directory (folder). The product that I work on REQUIRES that the folder the user is installing to has read\execute permissions set for Local Service.
The problem is that when I get the Access Control List (ACL) recursively (groups-within-groups), Local Service is not listed so I can't check if he has permissions to that folder or not.
By default, Local Service does not have read/execute permissions to user profiles (My Documents, Desktop, etc...) but I won't know if Local Service has access to other directories the user chooses to install to.
NOTE: Local Service DOES have access to Program Files, even though it is NOT listed in the ACL. Is it hidden somewhere else?
This is a short snippet on how I'm pulling the ACL:
GroupPrincipal groupPrincipal =
GroupPrincipal.FindByIdentity(principalContext, identityReferenceValue);
// GetMembers(true) is recursive (groups-within-groups)
foreach (var member in groupPrincipal.GetMembers(true)) {
if (member.SamAccountName.Equals("LOCAL SERVICE")) {
foundLocalService = true;
break;
}
}
Is there any other way I should be doing this? (Other than adding an access rule for Local Service on that directory)
Is Local Service just not listed in Directories ACL's?
Any help would be greatly appreciated.
It's notoriously difficult to calculate "effective permissions" for an account. But the simple answer to your question is that you will likely want to look for either on of:
The local Users group, sometimes shown as BUILTIN\Users or COMPUTERNAME\Users, or
Authenticated Users, sometimes shown as NT AUTHORITY\Authenticated Users.
Authenticated Users is one of the well-know SIDs. It is "a group that includes all users whose identities were authenticated when they logged on.". As long as you can prove who you are, you are included in Authenticated Users. The SID for this is always S-1-5-11 on every Windows computer.
However, it's not really considered a real group. To find it when adding permissions to a folder, you have to have "Built-in security principals" selected under "Select this object type":
The local Users group contains Authenticated Users by default. On my computer, I actually see both Users and Authenticated Users in the default permissions on the file system.
That's what you will most likely see, and that's likely all that matters.
But that's not the only way. You could see Everyone (S-1-1-0), which includes every user, authenticated or not.
Or, it could be a file or folder that has the LOCAL SERVICE account as the owner.
Or, there could be a local group that was created manually and LOCAL SERVICE was added to.
One way to get a more authoritative list of what you can look for is to run this under the LOCAL SERVICE account:
whoami /groups
That will tell you every group in the authentication token, which is every group that you are considered a member of for authentication purposes.
But you can't just open a command prompt as LOCAL SERVICE. So one way to do this is to open the Task Scheduler and create a task that runs under LOCAL SERVICE, with the action of:
Program: cmd
Arguments: /c "whoami /groups > C:\temp\localservice.txt"
Then run the task and, when it's done, look at C:\temp\localservice.txt. It will have a table of group names and their SIDs that you can look for.
i have active directory configured and i have added two user x and y and my domain is DOMAIN. And i have created an application where i these two can login with their username DOMAIN/X and DOMAIN/Y. But Here's the scenario i will add the intended user details into the database like their username and password and I want to show a login button without username and password fields who were within my LAN and i should be able to get the PC name and then i will verify it across username which i have saved in Db and get the username and password to validate him. So basically is there any way to get the Computer name from where the user tried to access the application within my LAN
you can use this piece of code to get the pc name
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
but if you will be saving the name of the pc as just the name it might end up having more then one name of the same.
if its just for each computer you want to register I would suggest going for MAC address
not sure exactly how its done but maybe this link will help you
MAC Address
Using .net, I'm trying to pull info from this AD field: Computer Name(pre-Windows 2000). However, I don't know what the property identifier for it is.
For instance, if you want to look for the city property, you use "l". I'm wondering what the corresponding identifier is for computer name.
dSearch.PropertiesToLoad.Add("l"); //load city property
dSearch.PropertiesToLoad.Add("?"); //what is computer name?
Does anyone know what to use here? Help would be much appreciated.
The AD ldap attribute for the pre-Windows 2000 computer name is "sAMAccountName". I verified it myself on AD by creating a bogus computer account, giving it a unique pre-win 2000 name, and then checking the AD attributes using LDAP Admin.
In our environment both of these return the computer name but I can't tell which is tied to Computer Name(pre-Windows 2000).
dSearch.PropertiesToLoad.Add("cn");
dSearch.PropertiesToLoad.Add("name");
Turns out the identifier was "employeeID".
I need to know how to get the name and domain of the primary user of a computer, remotely. I define the primary user preferably as the user logged on most times, or longest time over a period. Alternatively, if this is impossible, as the user currently/last logged on.
Currently, i scan an Active Directoy for all computer objects in an OU. I then loop though them, and try to get the name of the user using WMI.
I look in Win32_ComputerSystem to see if UserName returns a value. If this is not the case, i look in Win32_LogonSession and get the username for all LogonTypes that equal 2 or 10. If this returns none, or multiple values, i discard the result and look in Win32_Process for all non-system processes and define the primary user as the user with most processes running.
There are several problems with my approach:
Win32_ComputerSystem - UserName is often null.
Win32_LogonSession often return multiple or no values. There can be only 1 primary user.
Looking in Win32_Process is kinda ridiculous, since this will only return me the user with most processes, most likely not the primary user.
If no user is currently logged on, looking in Win32_Process returns no value and none of the 3 steps might return a value.
My 3 approaches might get me the current user. Does anyone know of a way to get the primary user? Or at least a better way to get the current. Not necessarily using WMI.
Thanks
If you have administrator privileges on the remote computer and sharing access
you can use Computer Management and select to
connect to other computer and see what users and groups are on that computer.
Or you can use TS Remote Administration or Remote Desktop if the remote computer has that capability.
Use psexec.exe (www.sysinternals.com) to run commands on a remote pc:
psexec \\pc1 net user | find /i "Steve"
psexec \\pc1 c:\tool\psloggedon | find /i "Steve"
1) Find if John Black has an account on PC1.
2) Find if he is currently logged on.
Use psloggedon.exe that uis is another SysInternals tool.
Check this also: http://www.wisesoft.co.uk/scripts/vbscript_display_username_of_user_on_a_remote_computer.aspx
Also if you want to find the User Name of the currently logged user on a remote computer using the remote computer IP then Go to the command line an type nbtstat -A <IP of remote computer> This will return all of the NetBIOS names registered on the computer, one of which is the username.
Context: Excel addin needs to test whether the current windows user is a valid active directory user (and determines other permission-based logic based on this)
I set up the Active Directory Membership Provider. With the System.Security.Principal.WindowsIdentity user, I take out the domain name (user account name is \) and then use the username to test against the sAMAccountName in Active Directory (Membership.GetUser()).
Is this a valid way to test whether the current user is logged into active directory?
I get the impression I'm only testing whether the current user account name exists in active directory without actually knowing if the current user is actually logged into active directory.
Then again, I'm not sure what 'logged into active directory' means... I'm pretty new to active directory!
Perhaps this would help you out:
Once you have retrieved a WindowsIdentity you can read its User property to get the SecurityIdentifier (SID) that uniquely identifies the user.
If you want to determine whether this account exists in an Active Directory store you can search the directory not by user name but instead using the SecurityIdentifier. In this way you don't have to worry about user name mixups.
If you instead want to determine which domain that the user is signed in to; you could read the AccountDomainSid property of the user's SecurityIdentifier. This will give you the SecurityIdentifier that uniquely identifies the domain.