Can I check if AD user is Domain Admin when Domain Controller is turned off?

0
votes

I can check if user is Domain Administrator by the following lines of code:

using (DirectoryEntry domainEntry = new DirectoryEntry(string.Format("LDAP://{0}", domain)))
{
    byte[] domainSIdArray = (byte[])domainEntry.Properties["objectSid"].Value;

    SecurityIdentifier domainSId = new SecurityIdentifier(domainSIdArray, 0);
    SecurityIdentifier domainAdminsSId = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, domainSId);

    using (DirectoryEntry groupEntry = new DirectoryEntry(string.Format("LDAP://<SID={0}>", BuildOctetString(domainAdminsSId))))
    {
        string adminDn = groupEntry.Properties["distinguishedname"].Value as string;
        SearchResult result = (new DirectorySearcher(domainEntry, string.Format("(&(objectCategory=user)(samAccountName={0}))", userName), new[] { "memberOf" })).FindOne();
        return result.Properties["memberOf"].Contains(adminDn);
    }
}

More details here

But when the Domain Controller is turned off, or its off-line (without any connections), I get the following error:

The server is not operational.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)

Is there an ability to check if user is Domain Administrator with turned off Domain Controller?

1
c#active-directorydomaincontroller
Do you have multiple DC in your network? If you do a "server-less" binding, or if you inspect the global catalog (GC://....), then a single DC failure shouldn't cause your calls to fail. If you have a single DC, and it's offline - no chance to query AD anymore, sorry...marc_s
I'm writing an application and don't know, how many DCs will be on real infrastructures. But Windows can log on domain user even if DC is inaccessible. So some cache had to be stored locally on the computer.stukselbax

1 Answers

1
votes

You can check whether the current user is a Domain administrator without contacting the domain controller.

If your requirement is to check whether arbirary user is a Domain administrator, I don't think you can do it without domain controller.

It's true that Windows cache the login credentials for the disconnected login purpose. The cache is stored and encrypted in HKEY_LOCAL_MACHINE\SECURITY\Cache. By design, the cache can only be descrypted by LSA. If you find some other ways to decrypt or query the information without going through LSA, that's a security hole that Microsoft will probably fix it right away. So, the only hope that you have is somehow LSA exposes an API to query the group informations stored in credentials cache. As far as I know, I don't see such an API exists. See here for the documented LSA API.