1

I'm trying to define the type of entered credentials with:

SID_NAME_USE pe;
...
resolved=LookupAccountNameW (NULL,L"builtin\users",&sid,&cbsid,buff,&dd,&pe);

No matter if I enter "builtin\users" or "users" it resolves successfully but returns SidTypeAlias in pe enum. But I expect SidTypeWellKnownGroup or SidTypeGroup.

Question: How to reliably define if given string is a Windows Group name ?

user2708351
  • 121
  • 7
  • A complaint about perceived incorrect behavior of an API is not a question. – Bill_Stewart Sep 07 '16 at 15:02
  • Bill, thank you for information. I've modified the post to have explicit question. – user2708351 Sep 07 '16 at 15:53
  • Change your question title to that question you just edited in and talk about that task in the question body. Why do you think you'll only ever get a Group SID type? Is it impossible to create aliases to groups? – andlabs Sep 07 '16 at 16:11
  • @andlabs It is, in fact, impossible, to create aliases to groups. There is UI anywhere in Windows 10 to create an "alias" - only a "group". Except the groups are being called aliases. – Ian Boyd May 11 '22 at 16:34

2 Answers2

4

The MSDN page Well-known SIDs briefly describes the meaning of "alias" in this context:

The following table has examples of domain-relative RIDs that you can use to form well-known SIDs for local groups (aliases).

One of the table entries is for the Users group, so the behaviour you are describing is as expected.

You can continue to use LookupAccountName() as you planned, you simply need to modify your code to recognize that any of SidTypeAlias, SidTypeWellKnownGroup, or SidTypeGroup represent groups.

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
2

The Glossary of the Security Account Manager Remote Protocol specification gives some hints as to what SidTypeAlias might be:

alias object: See resource group.

resource group: A group object whose membership is added to the authorization context only if the server receiving the context is a member of the same domain as the resource group.

This suggests that "alias" means "Domain Local group" in this context.

I confirmed this in my domain, by obtaining all domain groups using DirectorySearcher and calling LookupAccountName on each. Results:

  • all Global and Universal groups had SidTypeGroup;
  • all non-builtin Domain Local groups (groupType 0x80000004) had SidTypeAlias;
  • builtin Domain Local groups (those with groupType 0x80000005 = system-created domain local, such as Account Operators or Users) also had SidTypeAlias, but I had to run the code on a DC - when executed on a member workstation, LookupAccountName failed (ERROR_NONE_MAPPED) for all such groups except IIS_IUSRS.

Bottom line - SidTypeAlias should be treated as a group.

Community
  • 1
  • 1
Jakub Berezanski
  • 1,053
  • 9
  • 13