I'm trying to implement the IsActive method described here Is Account Active, but i'm getting an object reference not set to an instance of the the object.
private bool IsActive(DirectoryEntry de)
{
DirectoryEntry myEntry = GetDirectoryEntry();
if (myEntry.NativeGuid == null) return false;
int flags = (int)myEntry.Properties["userAccountControl"].Value;
if (!Convert.ToBoolean(flags & 0x0002)) return true; else return false;
return false;
}
private void SubmitData()
{
System.Guid guid = Guid.NewGuid();
logInfo.IPaddress = IPAddress;
if (!String.IsNullOrEmpty(txtUser.Text))
{
string username = txtUser.Text.ToString();
if (IsActive(de) != false)
{
if (DateTime.Now.Subtract(passwordLastSet).TotalHours > 1)
{
lblPasswordLastSet.Text = passwordLastSet.ToString();
lblStatus.Text = "all is good";
}
else
{
lblStatus.Text = "oops, you reset your password less than 24 hours ago!";
lblPasswordLastSet.Text = passwordLastSet.ToString();
}
}
else
{
lblStatus.Text = "your account is not active";
}
}
}
If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:
Managing Directory Security Principals in the .NET Framework 3.5
Basically, you can define a domain context and easily find users and/or groups in AD:
// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
// find user by name
UserPrincipal user = UserPrincipal.FindByIdentity("John Doe");
if(user != null)
{
// check if account is locked out
if(user.IsAccountLockedOut)
{
// do something if locked out....
}
}
The new S.DS.AM makes it really easy to play around with users and groups in AD:
Related
I have a list of users created in my system:
Administrator (by default)
Guest
User1 (Standard User)
User2 (Administrator User)
I want to know the rights given to all these users in C# through WMI
,how is this possible??Is there any other way to find them.
Even If one user has this right it must exit from the loop
I use the below code :
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
bool isAdmin = principal.IsInRole(WindowsBuiltInRole.Administrator);
if (isAdmin == true)
{
current_logged_user = "Yes";
}
else
{
current_logged_user = "No";
}
This gives me only the currently logged info,but I need for all the users
link
The below link just give the members of administrartors
link
You should be able to return all users via WMI with
string groupNameToSearchFor = "Administrators"; // can be any group,maybe better to use something like builtin.administrators
using (PrincipalContext pc = new PrincipalContext(ContextType.Machine, null))
{
ManagementObjectSearcher usersSearcher = new ManagementObjectSearcher(#"SELECT * FROM Win32_UserAccount");
ManagementObjectCollection users = usersSearcher.Get();
foreach (ManagementObject user in users)
{
if ((bool)user["LocalAccount"] == true && int.Parse(user["SIDType"].ToString()) == 1)
{
var userPrincipal = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, user["Name"].ToString());
GroupPrincipal gp = GroupPrincipal.FindByIdentity(pc, groupNameToSearchFor);
MessageBox.Show("Is User admin? -> " + (bool)userPrincipal.IsMemberOf(gp));
}
}
}
You have to include the usings for
using System.DirectoryServices.AccountManagement;
using System.Management;
And also check if the user is really a user and not a different object (not sure if my checks are enough).
Edit: you can cast the users you need after you got the list with
var localUsers = users.Cast<ManagementObject>().Where(
u => (bool)u["LocalAccount"] == true &&
(bool)u["Disabled"] == false &&
(bool)u["Lockout"] == false &&
int.Parse(u["SIDType"].ToString()) == 1 &&
u["Name"].ToString() != "HomeGroupUser$");
You can try this:
bool IsInGroup(string user, string group)
{
using (var identity = new WindowsIdentity(user))
{
var principal = new WindowsPrincipal(identity);
return principal.IsInRole(group);
}
}
You can change IsInRole(group) to IsInRole(WindowsBuiltInRole.Administrator)
Do you have a domain server ?
I am facing a strange issue.
I want to know whether user's AD account is disabled or not by providing user's email as the parameter.
Below code is working great for me for some set of users in our Org.
But for some other set of users its returning null- though I can able to verify these set of users in AD manually.
Can you please help me to over come from this issue.
private string GetCurrentDomainPath()
{
DirectoryEntry de =
new DirectoryEntry("LDAP://RootDSE");
return "LDAP://" +
de.Properties["defaultNamingContext"][0].
ToString();
}
public bool? FindAccountStatusByEmail(string email)
{
using (DirectorySearcher dSearch = new DirectorySearcher(new DirectoryEntry(GetCurrentDomainPath())))
{
dSearch.SearchScope = SearchScope.Subtree;
dSearch.Filter = "(&(objectCategory=person)(sAMAccountName=*)(mail=" + email.Trim() + "))";
SearchResult sResult = dSearch.FindOne();
if (sResult != null)
{
DirectoryEntry de = sResult.GetDirectoryEntry();
return IsActive(de);
}
else
{
return null;
}
}
}
private bool IsActive(DirectoryEntry de)
{
if (de.NativeGuid == null)
{
return false;
}
int flags = (int)de.Properties["userAccountControl"].Value;
return !Convert.ToBoolean(flags & 0x0002);
}
Update-1: Lets say I have one user's email address : abac#mydomain.com
When I passing this email address through the code, its returning null.
But when I am searching it in through windows provided tool(Find Users,Contacts and Groups) I am able to retrieve the user.
But just now noticed that in "E-mail :" section that user's email is different
say abac#mydomainlbs.com in the above picture.
I am writing an installer that installs SQL, beforehand a user is prompted to enter the SA username/password which will be created for them. When SQL installs it verifies this password against the Active Directory policy and will fail if it doesnt match.
What I want to do is verify the password input by the user is valid before proceeding to install SQL.
How can I validate a password is correct against Active Directory rules?
Note I do not have a login to verify as per this answer, but simply a password to verify.
I am currently trying this, but writing "password" which I know is not allowed doesnt throw an exception
try
{
System.DirectoryServices.DirectoryEntry localMachine = new System.DirectoryServices.DirectoryEntry("WinNT://" + Environment.MachineName);
ListPasswordPolicyInfo(Environment.MachineName);
System.DirectoryServices.DirectoryEntry newUser = localMachine.Children.Add("localuser", "user");
newUser.Invoke("SetPassword", new object[] { "3l!teP#$$w0RDz" });
newUser.Invoke("SetPassword", new object[] { "password" });
//newUser.CommitChanges();
//Console.WriteLine(newUser.Guid.ToString());
localMachine.Close();
newUser.Close();
}
catch(Exception e)
{
Console.WriteLine(e.Message);
}
After a lot of pain I have found the C# solution to this using NetValidatePasswordPolicy. Use the supporting structs off of PInvoke and the following code
public static NET_API_STATUS ValidatePassword(string password)
{
var outputArgs = new NET_VALIDATE_OUTPUT_ARG();
var inputArgs = new NET_VALIDATE_PASSWORD_CHANGE_INPUT_ARG();
IntPtr inputPointer = IntPtr.Zero;
IntPtr outputPointer = IntPtr.Zero;
try
{
inputArgs.PasswordMatched = true;
inputArgs.ClearPassword = Marshal.StringToBSTR(password);
// If using a secure string
////inputArgs.ClearPassword = Marshal.SecureStringToBSTR(secureStringPassword);
inputPointer = Marshal.AllocHGlobal(Marshal.SizeOf(inputArgs));
Marshal.StructureToPtr(inputArgs, inputPointer, false);
NET_API_STATUS status = NetValidatePasswordPolicy(System.Environment.MachineName, IntPtr.Zero, NET_VALIDATE_PASSWORD_TYPE.NetValidatePasswordChange, inputPointer, ref outputPointer);
if (status == NET_API_STATUS.NERR_Success)
{
outputArgs = (NET_VALIDATE_OUTPUT_ARG)Marshal.PtrToStructure(outputPointer, typeof(NET_VALIDATE_OUTPUT_ARG));
if (outputArgs.ValidationStatus == NET_API_STATUS.NERR_Success)
{
// Ok
}
return outputArgs.ValidationStatus;
}
else
{
return status;
}
}
finally
{
if (outputPointer != IntPtr.Zero)
{
NetValidatePasswordPolicyFree(ref outputPointer);
}
if (inputArgs.ClearPassword != IntPtr.Zero)
{
Marshal.ZeroFreeBSTR(inputArgs.ClearPassword);
}
if (inputPointer != IntPtr.Zero)
{
Marshal.FreeHGlobal(inputPointer);
}
}
}
try{
var userName = "bob";
using (var pc = new PrincipalContext(ContextType.Domain)
{
var user = UserPrincipal.FindByIdentity(pc, userName);
user.ChangePassword(oldpassword, newpassword); //Checks password policy
//or
user.SetPassword(newpassword); //Not positive checks password policy but I believe it 2.
}
}
catch(PasswordException ex)
{
//do something with ex
}
At first I thought the code below works because if I have the group as "IT" it functions correctly because my username is in the IT group in active directory. What I learned is it always returns true whether I have my username in the IT group or not and if i change it to any other group I am in it returns always returns false. Any help would be appreciated.
private void tabControl1_SelectedIndexChanged(object sender, EventArgs e)
{
// tab control security for admin tab
bool admin = checkGroup("IT");
if ((admin == true) && (tabControl1.SelectedTab == tpHistory))
{
tabControl1.SelectedTab = tpHistory;
}
else if ((admin == false) && (tabControl1.SelectedTab == tpHistory))
{
tabControl1.SelectedTab = tpRequests;
MessageBox.Show("Unable to load tab. You have insufficient privileges.",
"Access Denied", MessageBoxButtons.OK, MessageBoxIcon.Stop);
}
}
// check active directory to see if user is in Marketing department group
private static bool checkGroup(string group)
{
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
return principal.IsInRole(group);
}
Since you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:
Managing Directory Security Principals in the .NET Framework 3.5
MSDN docs on System.DirectoryServices.AccountManagement
Basically, you can define a domain context and easily find users and/or groups in AD:
// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "DOMAINNAME");
// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");
// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");
if(user != null)
{
// check if user is member of that group
if (user.IsMemberOf(group))
{
// do something.....
}
}
The new S.DS.AM makes it really easy to play around with users and groups in AD!
Slight deviation from #marc_s example, implemented in the static void Main() method in Program:
DomainCtx = new PrincipalContext( ContextType.Domain , Environment.UserDomainName );
if ( DomainCtx != null ) {
User = UserPrincipal.FindByIdentity( DomainCtx , Environment.UserName );
}
DomainCtx and User are both static properties declared under Program
Then in other forms i simply do something like this:
if ( Program.User.IsMemberOf(GroupPrincipal.FindByIdentity(Program.DomainCtx, "IT-All") )) {
//Enable certain Form Buttons and objects for IT Users
}
Check if current user in a group
public bool AuthenticateGroup(string groupfind)
{
var p = new Process();
StringBuilder stringbd = new StringBuilder();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.Arguments = #"/c gpresult /V";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = false;
p.StartInfo.UseShellExecute = false;
p.OutputDataReceived += (a, b) => stringbd.AppendLine(b.Data);
p.ErrorDataReceived += (a, b) => stringbd.AppendLine(b.Data);
p.Start();
p.BeginErrorReadLine();
p.BeginOutputReadLine();
p.WaitForExit();
var textfind = stringbd.ToString();
int findpoint = textfind.IndexOf("The user is a part of");
string findgroup = "";
if (findpoint > 0)
{
findgroup = textfind.Substring(findpoint, textfind.Length - findpoint);
}
return findgroup.Split('\n').ToList().Any(r=>r.Trim().ToLower()==groupfind.Trim().ToLower());
}
You cannot do it by this way.
You should query the active directory.
You can use a wrapper for AD. Check out http://www.codeproject.com/Articles/10301/Wrapper-API-for-using-Microsoft-Active-Directory-S
Why not:
bool isUserInGroup = HttpContext.User.IsInRole(".nameOfAdGroup");
I spend more than a day to find out that the Principal object is using way more bandwidth than the using the DirectoryServices. The scenario is like this. I have a group with ~3000 computer objects in it. To check if a computer is in this group I retrieved the GroupPrincipal and searched for the ComputerPrincipal.
Boolean _retVal = false;
PrincipalContext _principalContext = null;
using (_principalContext = new PrincipalContext(ContextType.Domain, domainController, srv_user, srv_password)) {
ComputerPrincipal _computer = ComputerPrincipal.FindByIdentity(_principalContext, accountName);
GroupPrincipal _grp = GroupPrincipal.FindByIdentity(_principalContext, groupName);
if (_computer != null && _grp != null) {
// get the members
PrincipalSearchResult<Principal> _allGrps = _grp.GetMembers(false);
if (_allGrps.Contains(_computer)) {
_retVal = true;
}
else {
_retVal = false;
}
}
}
return _retVal;
Actually very nice interface but this creates around 12MB traffic per request. If you're domain controller is in the LAN this is no issue. If you access the domain controller using the WAN it kills your connection/application.
After I noticed this I re-implemented the same functionality using DirectoryServices
Boolean _retVal = false;
DirectoryContext _ctx = null;
try {
_ctx = new DirectoryContext(DirectoryContextType.DirectoryServer, domainController, srv_user, srv_password);
} catch (Exception ex) {
// do something useful
}
if (_ctx != null) {
try {
using (DomainController _dc = DomainController.GetDomainController(_ctx)) {
using (DirectorySearcher _search = _dc.GetDirectorySearcher()) {
String _groupToSearchFor = String.Format("CN={0},", groupName);
_search.PropertiesToLoad.Clear();
_search.PropertiesToLoad.Add("memberOf");
_search.Filter = String.Format("(&(objectCategory=computer)(name={0}))", accountName); ;
SearchResult _one = null;
_one = _search.FindOne();
if (_one != null) {
int _count = _one.Properties["memberOf"].Count;
for (int i = 0; i < _count; i++) {
string _m = (_one.Properties["memberOf"][i] as string);
if (_m.Contains(groupName)) { _retVal = true; }
}
}
}
}
} catch (Exception ex) {
// do something useful
}
}
return _retVal;
This implementation will use around 12K of network traffic. Which is maybe not as nice but saves a lot of bandwith.
My questions is now if somebody has an idea what the AccountManagement object is doing that it uses so much bandwith?
THANKS!
I would guess including the following lines will do a lot to save bandwidth:
_search.PropertiesToLoad.Clear();
_search.PropertiesToLoad.Add("memberOf");
_search.Filter = String.Format("(&(objectCategory=computer)(name={0}))", accountName);
The first two are telling the DirectorySearcher to only load a single property instead of who knows how many, of arbitrary size.
The second is passing a filter into the DirectorySearcher, which I guess is probably processed server side, further limiting the size of your result set.