Reputation: 15521
Difference between real user and system user accounts
When I get UserPrincipal/DirectoryEntry records for a machine or Active Directory domain, is there a way to differentiate system accounts from real users?
For example, jsmith is a real user, while ASPNET or IUSR_machine are not. But relying on hard-coded known names doesn't seem to be the best way to filter out system users, because, there can be other accounts, too. Is there a better way?
For example, maybe there is "can logon interactively" flag, or, detect by checking that password is set, etc.
Upvotes: 3
Views: 3165
Answers (3)
Reputation: 5986
Try using the "samaccountname" property to eliminate accounts that are not for users or groups.
Upvotes: 0
Reputation: 4503
The sample accounts you list are, for all intents and purposes, functionally the same as a user account you create for a named person.
Upvotes: 2
Reputation: 5422
Try the Win32 LookupAccountName and LookupAccountSid methods. The last parameter (called accountType) is filled with the type of account, when the function returns.
[SecurityPermission(SecurityAction.Demand, UnmanagedCode = true)]
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool LookupAccountSid(
[In] string systemName,
[In, MarshalAs(UnmanagedType.LPArray)] byte[] sid,
[Out] StringBuilder name,
[In, Out] ref uint nameLength,
[Out] StringBuilder referencedDomainName,
[In, Out] ref uint referencedDomainNameLength,
[Out] out AccountType accountType);
[SecurityPermission(SecurityAction.Demand, UnmanagedCode = true)]
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool LookupAccountName(
[In] string systemName,
[In] string accountName,
[Out, MarshalAs(UnmanagedType.LPArray)] byte[] sid,
[In, Out] ref uint sidSize,
[Out] StringBuilder referencedDomainName,
[In, Out] ref uint referencedDomainNameLength,
[Out] out AccountType accountType);
/// <summary>
/// Defines the various account types of a Windows accunt
/// </summary>
public enum AccountType
{
/// <summary>
/// No account type
/// </summary>
None = 0,
/// <summary>
/// The account is a user
/// </summary>
User,
/// <summary>
/// The account is a security group
/// </summary>
Group,
/// <summary>
/// The account defines a domain
/// </summary>
Domain,
/// <summary>
/// The account is an alias
/// </summary>
Alias,
/// <summary>
/// The account is a well-known group, such as BUILTIN\Administrators
/// </summary>
WellknownGroup,
/// <summary>
/// The account was deleted
/// </summary>
DeletedAccount,
/// <summary>
/// The account is invalid
/// </summary>
Invalid,
/// <summary>
/// The type of the account is unknown
/// </summary>
Unknown,
/// <summary>
/// The account is a computer account
/// </summary>
Computer,
Label
}
Upvotes: 0
Related Questions
- What is the difference between SYSTEM_USER and USER in SQL server?
- The difference between the 'Local System' account and the 'Network Service' account?
- Difference between "People" and "Users" OU in Active Directory
- Active Directory: How to determine whether account is service account?
- Difference between System.DirectoryServices.ActiveDirectory and Microsoft.ActiveDirectory
- what are the differences between the account properties of ServiceProcessInstaller
- Active Directory Service Accounts
- System.DirectoryServices vs system.directoryservices.accountmanagement
- System.DirectoryServices.AccountManagement in .net 2.0
- windows user domain account question