真实用户和系统用户帐户之间的差异

时间:2011-10-10 10:11:06

标签: active-directory directoryservices user-accounts

当我获得计算机或Active Directory域的UserPrincipal / DirectoryEntry记录时,有没有办法区分系统帐户和真实用户?

例如,jsmith是真实用户,而ASPNET或IUSR_machine则不是。但依赖于硬编码的已知名称似乎并不是过滤系统用户的最佳方式,因为,也可能有其他帐户。还有更好的方法吗?

例如,可能存在“可以交互登录”标志,或者通过检查密码设置来检测等。

3 个答案:

答案 0 :(得分:1)

出于所有意图和目的,您列出的示例帐户在功能上与您为指定人员创建的用户帐户相同。

答案 1 :(得分:0)

尝试使用Win32 LookupAccountName和LookupAccountSid方法。当函数返回时,最后一个参数(称为accountType)用帐户类型填充。

 [SecurityPermission(SecurityAction.Demand, UnmanagedCode = true)]
 [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
 [return: MarshalAs(UnmanagedType.Bool)]
 public static extern bool LookupAccountSid(
        [In] string systemName,
        [In, MarshalAs(UnmanagedType.LPArray)] byte[] sid,
        [Out] StringBuilder name,
        [In, Out] ref uint nameLength,
        [Out] StringBuilder referencedDomainName,
        [In, Out] ref uint referencedDomainNameLength,
        [Out] out AccountType accountType);

 [SecurityPermission(SecurityAction.Demand, UnmanagedCode = true)]
 [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
 [return: MarshalAs(UnmanagedType.Bool)]
 public static extern bool LookupAccountName(
        [In] string systemName,
        [In] string accountName,
        [Out, MarshalAs(UnmanagedType.LPArray)] byte[] sid,
        [In, Out] ref uint sidSize,
        [Out] StringBuilder referencedDomainName,
        [In, Out] ref uint referencedDomainNameLength,
        [Out] out AccountType accountType);


/// <summary>
/// Defines the various account types of a Windows accunt
/// </summary>
public enum AccountType
{
    /// <summary>
    /// No account type
    /// </summary>
    None = 0,
    /// <summary>
    /// The account is a user
    /// </summary>
    User,
    /// <summary>
    /// The account is a security group
    /// </summary>
    Group,
    /// <summary>
    /// The account defines a domain
    /// </summary>
    Domain,
    /// <summary>
    /// The account is an alias
    /// </summary>
    Alias,
    /// <summary>
    /// The account is a well-known group, such as BUILTIN\Administrators
    /// </summary>
    WellknownGroup,
    /// <summary>
    /// The account was deleted
    /// </summary>
    DeletedAccount,
    /// <summary>
    /// The account is invalid
    /// </summary>
    Invalid,
    /// <summary>
    /// The type of the account is unknown
    /// </summary>
    Unknown,
    /// <summary>
    /// The account is a computer account
    /// </summary>
    Computer,
    Label
}

答案 2 :(得分:0)

尝试使用"samaccountname" property来删除不适合用户或群组的帐户。