C# – How to check if user with [UserName] and [Password] is domain administrator of [DomainName] without impersonation

active-directorycnet

I can check is user domain administrator with next lines of code:

using (Impersonation im = new Impersonation(UserName, Domain, Password))
{
    System.Security.Principal.WindowsIdentity identity = System.Security.Principal.WindowsIdentity.GetCurrent();
    bool isDomainAdmin = identity.IsDomainAdmin(Domain, UserName, Password);
    if (!isDomainAdmin)
    {
        //deny access, for example
    }
}

where IsDomainAdmin – is extension method

public static bool IsDomainAdmin(this WindowsIdentity identity, string domain, string userName, string password)
{
    Domain d = Domain.GetDomain(new DirectoryContext(DirectoryContextType.Domain, domain, userName, password));

    using (DirectoryEntry de = d.GetDirectoryEntry())
    {
        byte[] domainSIdArray = (byte[])de.Properties["objectSid"].Value;
        SecurityIdentifier domainSId = new SecurityIdentifier(domainSIdArray, 0);
        SecurityIdentifier domainAdminsSId = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, domainSId);
        WindowsPrincipal wp = new WindowsPrincipal(identity);
        return wp.IsInRole(domainAdminsSId);
    }
}

But, when method IsDomainAdmin is called, it is trying to write some files to the %LOCALAPPDATA% for impersonated user, and if program is runnig not as administrator, it throws an exception

Could not load file or assembly 'System.DirectoryServices,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or
one of its dependencies. Either a required impersonation level was not
provided, or the provided impersonation level is invalid. (Exception
from HRESULT: 0x80070542)

Best Answer

You certainly don't need a user's password to verify if the user is a member of a group. So why don't you just query AD in a straight-forward manner using DirectoryEntry or DirectorySearcher? If you also need to verify that the password supplied is correct you can do that in an additional step using PrincipalContext.ValidateCredentials. (See PrincipalContext.ValidateCredentials Method (String, String)).

static void Main(string[] args) {
    string userDomain = "somedomain";
    string userName = "username";
    string password = "apassword";

    if (IsDomainAdmin(userDomain, userName)) {
        string fullUserName = userDomain + @"\" + userName;
        PrincipalContext context = new PrincipalContext(
            ContextType.Domain, userDomain);
        if (context.ValidateCredentials(fullUserName, password)) {
            Console.WriteLine("Success!");
        }
    }
}

public static bool IsDomainAdmin(string domain, string userName) {
    string adminDn = GetAdminDn(domain);
    SearchResult result = (new DirectorySearcher(
        new DirectoryEntry("LDAP://" + domain),
        "(&(objectCategory=user)(samAccountName=" + userName + "))",
        new[] { "memberOf" })).FindOne();
    return result.Properties["memberOf"].Contains(adminDn);
}

public static string GetAdminDn(string domain) {
    return (string)(new DirectorySearcher(
        new DirectoryEntry("LDAP://" + domain),
        "(&(objectCategory=group)(cn=Domain Admins))")
        .FindOne().Properties["distinguishedname"][0]);
}

Related Solutions

C# – How to create an Excel (.XLS and .XLSX) file in C# without installing Microsoft Office

You can use a library called ExcelLibrary. It's a free, open source library posted on Google Code:

ExcelLibrary

This looks to be a port of the PHP ExcelWriter that you mentioned above. It will not write to the new .xlsx format yet, but they are working on adding that functionality in.

It's very simple, small and easy to use. Plus it has a DataSetHelper that lets you use DataSets and DataTables to easily work with Excel data.

ExcelLibrary seems to still only work for the older Excel format (.xls files), but may be adding support in the future for newer 2007/2010 formats.

You can also use EPPlus, which works only for Excel 2007/2010 format files (.xlsx files). There's also NPOI which works with both.

There are a few known bugs with each library as noted in the comments. In all, EPPlus seems to be the best choice as time goes on. It seems to be more actively updated and documented as well.

Also, as noted by @АртёмЦарионов below, EPPlus has support for Pivot Tables and ExcelLibrary may have some support (Pivot table issue in ExcelLibrary)

Here are a couple links for quick reference:
ExcelLibrary - GNU Lesser GPL
EPPlus - GNU (LGPL) - No longer maintained
EPPlus 5 - Polyform Noncommercial - Starting May 2020
NPOI - Apache License

Here some example code for ExcelLibrary:

Here is an example taking data from a database and creating a workbook from it. Note that the ExcelLibrary code is the single line at the bottom:

//Create the data set and table
DataSet ds = new DataSet("New_DataSet");
DataTable dt = new DataTable("New_DataTable");

//Set the locale for each
ds.Locale = System.Threading.Thread.CurrentThread.CurrentCulture;
dt.Locale = System.Threading.Thread.CurrentThread.CurrentCulture;

//Open a DB connection (in this example with OleDB)
OleDbConnection con = new OleDbConnection(dbConnectionString);
con.Open();

//Create a query and fill the data table with the data from the DB
string sql = "SELECT Whatever FROM MyDBTable;";
OleDbCommand cmd = new OleDbCommand(sql, con);
OleDbDataAdapter adptr = new OleDbDataAdapter();

adptr.SelectCommand = cmd;
adptr.Fill(dt);
con.Close();

//Add the table to the data set
ds.Tables.Add(dt);

//Here's the easy part. Create the Excel worksheet from the data set
ExcelLibrary.DataSetHelper.CreateWorkbook("MyExcelFile.xls", ds);

Creating the Excel file is as easy as that. You can also manually create Excel files, but the above functionality is what really impressed me.

C# – Validate a username and password against Active Directory

If you work on .NET 3.5 or newer, you can use the System.DirectoryServices.AccountManagement namespace and easily verify your credentials:

// create a "principal context" - e.g. your domain (could be machine, too)
using(PrincipalContext pc = new PrincipalContext(ContextType.Domain, "YOURDOMAIN"))
{
    // validate the credentials
    bool isValid = pc.ValidateCredentials("myuser", "mypassword");
}

It's simple, it's reliable, it's 100% C# managed code on your end - what more can you ask for? :-)

Read all about it here:

Update:

As outlined in this other SO question (and its answers), there is an issue with this call possibly returning True for old passwords of a user. Just be aware of this behavior and don't be too surprised if this happens :-) (thanks to @MikeGledhill for pointing this out!)

Best Answer

Related Solutions

C# – How to create an Excel (.XLS and .XLSX) file in C# without installing Microsoft Office

C# – Validate a username and password against Active Directory

Related Topic