在数据库中存储什么以识别Active Directory和本地帐户用户

时间:2022-08-13 07:07:51

I am writing a permissions system for my WPF application that needs to work with both Active Directory and local machine accounts; the system may or may not be connected to a network.

我正在为我的WPF应用程序编写权限系统,该系统需要同时使用Active Directory和本地计算机帐户;系统可能连接也可能不连接到网络。

The user can log into the application with either an AD login or a local machine login. The application stores data in an SQL Server Express data base and each row will have an "owner".

用户可以使用AD登录或本地计算机登录来登录应用程序。应用程序将数据存储在SQL Server Express数据库中,每行都有一个“所有者”。

The application will only show rows that are "owned" by the logged in user.

应用程序将仅显示登录用户“拥有”的行。

Per this question, the recommended data to store to identify a user is the LDAP objectGUID which I can retrieve with the code below and store in a uniqueidentifier column.

根据这个问题,要存储以识别用户的推荐数据是LDAP objectGUID,我可以使用下面的代码检索它并存储在uniqueidentifier列中。

using System.DirectoryServices.AccountManangement;
using System.Security.Principal;

public class ActiveDirectoryHelper
{
    public static Guid? GetObjectGuidFromIdentity(WindowsIdentity identity)
    {
      string domainName = identity.Name.Split('\\')[0];

      PrincipalContext pc = null;
      if (domainName == Environment.MachineName)
      {
        pc = new PrincipalContext(ContextType.Machine);
      }
      else
      {
        pc = new PrincipalContext(ContextType.Domain, domainName);
      }

      UserPrincipal user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, identity.Name);
      return user.Guid;

  }
}

However, UserPrincipal.Guid is null for ContextType.MachineName.

但是,对于ContextType.MachineName,UserPrincipal.Guid为null。

Is there a single piece of information that I can store that can refer to either an AD account or a local account ?

我可以存储一条可以引用AD帐户或本地帐户的信息吗?

Or do I need to add another column to specify the directory type (AD/SAM) and use another column to store a different identifier (SID) ?

或者我是否需要添加另一列来指定目录类型(AD / SAM)并使用另一列来存储不同的标识符(SID)?

1 个解决方案

#1


0  

As you discovered, local accounts do not have a GUID. Instead, they just have a SID.

如您所见,本地帐户没有GUID。相反,他们只有一个SID。

You could opt to use the SID for identifying the user instead so you only have one identifier. The upshot of the GUID is that in cases where customers restructure their Active Directory forest, the user's GUID will stay static while the SID will change.

您可以选择使用SID来识别用户,这样您就只有一个标识符。 GUID的结果是,在客户重构其Active Directory林的情况下,用户的GUID将保持静态,而SID将更改。

#1


0  

As you discovered, local accounts do not have a GUID. Instead, they just have a SID.

如您所见,本地帐户没有GUID。相反,他们只有一个SID。

You could opt to use the SID for identifying the user instead so you only have one identifier. The upshot of the GUID is that in cases where customers restructure their Active Directory forest, the user's GUID will stay static while the SID will change.

您可以选择使用SID来识别用户,这样您就只有一个标识符。 GUID的结果是,在客户重构其Active Directory林的情况下,用户的GUID将保持静态,而SID将更改。