Active Directory: How to determine whether account

2019-07-30 16:47发布

站内问答 / C#
1275 2 5

Question: Is it possible to determine whether an account is a service account in Active Directory using C# LDAP? If yes, how?

Context: I have a program that is retrieving all objects of schema class type USER, GROUP, COMPUTER, FOREIGN SECURITY PRINCIPAL, and CONTACT. Currently, a service account is identified by string parsing the canonical name for 'service account'. I do not like this solution because string parsing is dependent on a folder location in the hierarchy that literally says 'service account'. It seems possible that a service account could be created and then placed in a folder path that does not include the string 'service account'. Unfortunately, I cannot test this because I am not an AD admin.

I have browsed around online without any luck so I am not sure if it is even possible.

Update:

Per Microsoft, it appears that the service account is contained in objectClass msDS-ManagedServiceAccount. However, when I set the DirectoryEntry filter to msDS-ManagedServiceAccount, no results are returned. 

directoryEntry = new DirectoryEntry(strActiveDirectoryHost, null, null, AuthenticationTypes.Secure);
string strDsFilter = "(objectClass=msDS-ManagedServiceAccount)";

DirectorySearcher directorySearcher = new DirectorySearcher(directoryEntry)
{
    Filter = strDsFilter,
    SearchScope = SearchScope.Subtree,
    PageSize = intActiveDirectoryPageSize,
};

return searchResultCollection = directorySearcher.FindAll();

2条回答
做自己的国王
2楼-- · 2019-07-30 17:18

So I am working on this to get the MSA as well as create them. I am able to get the MSA using the System.DirectoryServices.AccountManagement namespace, still working on creating it (unsure if this is really possible) But for finding the accounts which are MSAs you can use the below code

PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomain, sDefaultOU, ContextOptions.SimpleBind, sServiceUser, sServicePassword);
GroupPrincipal currentGroup = GroupPrincipal.FindByIdentity(oPrincipalContext, "YourGroupName");
        foreach (Principal a_principal in currentGroup.GetMembers())
        {
            if (a_principal.StructuralObjectClass == "msDS-ManagedServiceAccount")
            {
                Console.Write(a_principal.SamAccountName); //To get the name
                ComputerPrincipal oComputerPrincipal = ComputerPrincipal.FindByIdentity(oPrincipalContext, a_principal.Name); //creating a computerprincipal to get more details about the MSA

            }
        }

You can use the above logic and create a Principal for the user account and get the structural object class for that account to find out if it is MSA. Something like this:

 UserPrincipal oUserPrincipal = UserPrincipal.FindByIdentity(oPrincipalContext, sUserName);
      if (oUserPrincipal.StructuralObjectClass == "msDS-ManagedServiceAccount")
                {
                    Console.Write(oUserPrincipal.SamAccountName); //To get the samaccountname
                }
查看更多
0人赞 添加讨论(0) 举报
唯我独甜
3楼-- · 2019-07-30 17:22

I have testing your code, and it does in fact return results in my environment. A few things to note:

  • Be sure that strActiveDirectoryHost is formatted correctly. The format should be LDAP://DC=contoso,DC=com
  • Check that you are searching from the root (or high enough to find the accounts you are looking for). MSAs are under the Managed Service Accounts container under the domain NC (i.e. LDAP://CN=Managed Service Accounts,DC=contoso,DC=com)
  • In my tests, I call new DirectoryEntry() with only the path. Not sure if passing AuthenticationTypes.Secure is causing an issue for you
  • The objectClass you have is correct.
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)