/// <summary> /// Create a GroupSecurityIdentifierInformation object for a SID. /// </summary> /// <param name="sid">group SID to associate attributes with</param> /// <param name="attributes">attributes associated with the SID</param> /// <exception cref="ArgumentNullException"> /// If <paramref name="sid"/> is null. /// </exception> public GroupSecurityIdentifierInformation(SecurityIdentifier sid, GroupSecurityIdentifierAttributes attributes) { if (sid == null) { throw new ArgumentNullException("sid"); } m_sid = sid; m_attributes = attributes; }
public void GetAllGroupsTest() { using (WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent()) { IEnumerable <GroupSecurityIdentifierInformation> allGroups = currentIdentity.GetAllGroups(); // Ensure that all SIDs in the WindowsIdentity Groups are present in the AllGroups list var standardGroupSids = from groupReference in currentIdentity.Groups where groupReference.IsValidTargetType(typeof(SecurityIdentifier)) select groupReference.Translate(typeof(SecurityIdentifier)) as SecurityIdentifier; foreach (SecurityIdentifier sid in standardGroupSids) { var matchingAllGroupSids = from groupInfo in allGroups where groupInfo.SecurityIdentifier == sid select groupInfo; Assert.AreEqual(1, matchingAllGroupSids.Count()); } // Ensure that any SIDs that did not show up in the WindowsIdentity groups are disabled, // logon, or deny-only SIDs var extraGroups = from groupInfo in allGroups where !standardGroupSids.Any(sid => sid == groupInfo.SecurityIdentifier) select groupInfo; GroupSecurityIdentifierAttributes filteredMask = GroupSecurityIdentifierAttributes.DenyOnly | GroupSecurityIdentifierAttributes.LogOnIdentifier; foreach (GroupSecurityIdentifierInformation extraGroup in extraGroups) { if ((extraGroup.Attributes & filteredMask) == GroupSecurityIdentifierAttributes.None) { // This group was not for deny only, and was not the logon group, so it must not be enabled. Assert.IsTrue((extraGroup.Attributes & GroupSecurityIdentifierAttributes.Enabled) == GroupSecurityIdentifierAttributes.None); } } } }
public void IsAdministratorTest() { using (WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent()) { // We should only return true from IsAdministrator if our token contains the Administrators // token in the Enabled and not DenyOnly state. GroupSecurityIdentifierAttributes filter = GroupSecurityIdentifierAttributes.DenyOnly | GroupSecurityIdentifierAttributes.Enabled; var enabledGroupSids = from groupInfo in currentIdentity.GetAllGroups() where (groupInfo.Attributes & filter) == GroupSecurityIdentifierAttributes.Enabled select groupInfo.SecurityIdentifier; bool isAdmin = enabledGroupSids.Any(sid => sid.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid)); if (isAdmin) { Assert.IsTrue(currentIdentity.IsAdministrator()); } else { Assert.IsFalse(currentIdentity.IsAdministrator()); } } }