Detecting if a NTAccount is user or a group

13 Jul 2006 3:13 PM

Roshan

Hi,

I wanted a reliable way of detecting if a given NTAccount object
represents a user account or group account. I was using
SecurityIdentifier.IsAccountSid() method but this doesn't work as I
expected. It returns true for user accounts and also for groups created
by administrator. Right now I am using the WMI class
System.Management.ManagementClass to get a list of all local user
accounts and am iterating over them to see if the given account is a
user account.

        System.Management.ManagementClass mc = new
System.Management.ManagementClass("Win32_UserAccount");

System.Management.ManagementObjectCollection objColl =
mc.GetInstances();
foreach (System.Management.ManagementObject obj in objColl)
{
   String name = obj.GetPropertyValue("Name") as String;
   // Compare name and NTAccount.Value to detect if its a user
}

While this works, it seems unclean and a overtly complex way of doing
things. Does any one know of a clean straight forward way of doing
this?

Thanks,
Roshan

13 Jul 2006 4:02 PM

Henning Krause

Hello,

you can use the LookupAccountSid or LookupAccountName function. These will
translate accountnames to sids and vice versa.

And you get the accountType:

        [DllImport("advapi32.dll", SetLastError = true, CharSet =
CharSet.Unicode)]
        [return: MarshalAs(UnmanagedType.Bool)]
        public static extern bool LookupAccountSid(
            [In] string systemName,
            [In, MarshalAs(UnmanagedType.LPArray)] byte[] sid,
            [Out] StringBuilder name,
            [In, Out] ref uint nameLength,
            [Out] StringBuilder referencedDomainName,
            [In, Out] ref uint referencedDomainNameLength,
            [Out] out AccountType usage);

public enum AccountType
    {
        /// <summary>
        /// No account type
        /// </summary>
        None = 0,
        /// <summary>
        /// The account is a user
        /// </summary>
        User,
        /// <summary>
        /// The account is a security group
        /// </summary>
        Group,
        /// <summary>
        /// The account defines a domain
        /// </summary>
        Domain,
        /// <summary>
        /// The account is an alias
        /// </summary>
        Alias,
        /// <summary>
        /// The account is a well-known group, such as
BUILTIN\Administrators
        /// </summary>
        WellknownGroup,
        /// <summary>
        /// The account was deleted
        /// </summary>
        DeletedAccount,
        /// <summary>
        /// The account is invalid
        /// </summary>
        Invalid,
        /// <summary>
        /// The type of the account is unknown
        /// </summary>
        Unknown,
        /// <summary>
        /// The account is a computer account
        /// </summary>
        Computer
    }

Best regards,
Henning Krause

Show quote

"Roshan" <bros***@gmail.com> wrote in message
news:1152803607.637996.214870@m73g2000cwd.googlegroups.com...
> Hi,
>
> I wanted a reliable way of detecting if a given NTAccount object
> represents a user account or group account. I was using
> SecurityIdentifier.IsAccountSid() method but this doesn't work as I
> expected. It returns true for user accounts and also for groups created
> by administrator. Right now I am using the WMI class
> System.Management.ManagementClass to get a list of all local user
> accounts and am iterating over them to see if the given account is a
> user account.
>
>        System.Management.ManagementClass mc = new
> System.Management.ManagementClass("Win32_UserAccount");
>
> System.Management.ManagementObjectCollection objColl =
> mc.GetInstances();
> foreach (System.Management.ManagementObject obj in objColl)
> {
>   String name = obj.GetPropertyValue("Name") as String;
>   // Compare name and NTAccount.Value to detect if its a user
> }
>
> While this works, it seems unclean and a overtly complex way of doing
> things. Does any one know of a clean straight forward way of doing
> this?
>
> Thanks,
> Roshan
>