Reputation: 139
LookupAccountNameW returns SidTypeAlias, but expected SidTypeGroup
I'm trying to define the type of entered credentials with:
SID_NAME_USE pe;
...
resolved=LookupAccountNameW (NULL,L"builtin\users",&sid,&cbsid,buff,&dd,&pe);
No matter if I enter "builtin\users" or "users" it resolves successfully but returns SidTypeAlias in pe enum. But I expect SidTypeWellKnownGroup or SidTypeGroup.
Question: How to reliably define if given string is a Windows Group name ?
Upvotes: 1
Views: 1156
Answers (2)
Reputation: 1083
The Glossary of the Security Account Manager Remote Protocol specification gives some hints as to what SidTypeAlias might be:
alias object: See resource group.
resource group: A group object whose membership is added to the authorization context only if the server receiving the context is a member of the same domain as the resource group.
This suggests that "alias" means "Domain Local group" in this context.
I confirmed this in my domain, by obtaining all domain groups using DirectorySearcher and calling LookupAccountName on each. Results:
- all Global and Universal groups had SidTypeGroup;
- all non-builtin Domain Local groups (groupType 0x80000004) had SidTypeAlias;
- builtin Domain Local groups (those with groupType 0x80000005 = system-created domain local, such as Account Operators or Users) also had SidTypeAlias, but I had to run the code on a DC - when executed on a member workstation, LookupAccountName failed (ERROR_NONE_MAPPED) for all such groups except IIS_IUSRS.
Bottom line - SidTypeAlias should be treated as a group.
Upvotes: 2
Reputation: 36328
The MSDN page Well-known SIDs briefly describes the meaning of "alias" in this context:
The following table has examples of domain-relative RIDs that you can use to form well-known SIDs for local groups (aliases).
One of the table entries is for the Users group, so the behaviour you are describing is as expected.
You can continue to use LookupAccountName() as you planned, you simply need to modify your code to recognize that any of SidTypeAlias, SidTypeWellKnownGroup, or SidTypeGroup represent groups.
Upvotes: 4
Related Questions
- Access violation writing location 0x00000000 when using LookupAccountName
- LookupAccountSid, No mapping between account names and security ID's
- LookupAccountName error when ReferencedDomainName is NULL
- "The parameter is incorrect" error from LookupAccountSid()
- LookupAccountName fails with 1332 on Windows 7 64 bit
- Sid of local group in machine
- LookupAccountName to get user account type VC++
- LookupAccountName returns the local PC Domain instead of the logged in AD Domain
- LookupAccountName fails on vista with ERROR_NONE_MAPPED
- Error 0x8007000e in LookupAccountSid()