I would like to get distinguish name "CN=XXX,CN=Users,DC=contoso,DC=com"
I know there is a function "LookupAccountSid" that get only the name of the account for SID.
Is there any similar function that get the distinguish name?
on c++
If you want user account name associated with the caller thread, use GetUserNameEx function with the NameFullyQualifiedDN parameter. You could obtain additional information using IADsADSystemInfo interface.
If you want to enumerate domain accounts, you could use ADSI interfaces.
Related
I have a collection of SID values and need to display if they are in a given group. I know I can do that with CheckTokenMembership, if I had a token handle. How do I get a token handle from an SID in Windows?
Use LookupAccountSid to get the account for the SID
Use NetUserGetGroups to get all groups this account is a member of. EDIT Note from eryksun: Check target group's SID first. If it's SidTypeGroup, call NetUserGetGroups. If it's SidTypeAlias, call NetUserGetLocalGroups (AKA aliases, such as "BUILTIN\Administrators")
Use LookupAccountName to get the SIDs of the group.
Check if account SID (step 1) is member of the SID collection (step 3). Use EqualSid function.
You find appropriate old code one the old win32.mvps.org pages. Sadly the page is gone. But Wayback machine helps. Here a link to the old fksec samples
You find an easy to use sid class there. It also provides sid::MemberOf and sid::Members functions. The code isn't my style but it works.
I am trying to find a way to get a list of all groups a unix user has access to. I want to be able to pass either the unix username or the uid of a user to a c++ program as an argument and then return a list of groups that this user has access to.
I have done some reading about this and as far as I can see this can be achieved using getgroups() but I can't find an example of how to do this by passing in a particular username or uid to getgroups. All the examples I have found seem to just display all the groups for my user account or whoever is the effective uid of the person running the program.
Please can you help me with how I can do this?
I can get all the user account info from struct passwd and am able to pass argv[1] which is a unix users username and pass this to getgrgid:
(getpwnam_r(argv[1], my_passwd, pwdbuffer, pwdlinelen, &tempPwdPtr)) != 0)
I just don't know how to use the value of argv[1] and find out all the groups a unix user has access to using getgroups
Use getgrouplist(3) function, it does exactly what you want. It expected username so if you want to list all the groups user with given UID is part of, you need first to translate UID to username with help of getpwuid_r(3) function.
I am writing some C++ code for the Windows(XP/7) platform to check the permission associated to a file. I want to verify that the file I am reading cannot be written by accounts with non elevated privileges. This is what I am currently doing:
I get the DACL associated with the file calling GetNamedSecurityInfo
I call CreateWellKnownSid with well known Sids, such as WinAuthenticatedUserSid (the Users group)
I call BuildTrusteeWithSid to build a TRUSTEE with the previous SID
I call GetEffectiveRightsFromAcl with the previously created trustee to get the effective acl
I check that the ACL does not contain the Write Flag set.
This code is working perfectly for the Users group. What about the other groups such as Everyone, Guests, or other specific users which may have specific write access on the file? I would like to find a solution where I don't need to enumerate all possible SID and check against all of them. Is there a SID I could use such as "anything but not admin"?
Regards,
Ant
I'd take a slightly different approach:
Get all ACE's via GetExplicitEntriesFromAcl, for the file and all its parents
Select the GRANT_ACCESS and SET_ACCESS ACE's
Get the list of trustees from the selected ACE's
For each of the trustees, perform an access check. GetEffectiveRightsFromAcl is probably the easiest solution here.
You'll want to think specifically what you want to do with the OWNER. He can alter the rights at any time.
(How) can I enumerate programmatically Users in Well Known groups (SidTypeWellKnownGroup) ?
Ex: "Autenticated Users" or "Domain Users"
You can probably do this in WMI, but I'm not that familiar with it; I prefer using the plain old C APIs anyway. You can use the Network Management functions to do this. Given the group name, you can use NetGroupGetUsers to get all the members of a group. To get the group name you can use CreateWellKnownSid (or AllocateAndInitializeSid) and LookupAccountSid.
Would someone be able to point me to the C++ API's that I can use to display a list of processes and the user name in Windows?
My current code uses the CreateToolhelp32Snapshot Function which shows all the processes running for all users, but I do not know what API's to use to retreieve the user name so I can filter it by user. I do not need to use CreateToolhelp32Snapshot, and I have seen other methods to retrieve the process list, but none seem to get me the user name that is running the process.
Thanks for any help.
I know that using GetTokenInformation with TokenUser gets you the SID, and a quick serach reveals that LookupAccountSid should get you the corresponding account. Havent't tried that last one myself though.
Well this link appears to have helpful code for you. Apply the code contained there in to the Token handle you get from calling OpenProcessToken on the handle you get from Process32First/Next.