1

I am using windows authentication and want to know if an logged in user belongs to the group 'Built-in Administrators'. I am using the following code snipped to find that out in my MVC4-Application:

   // user identity
    var lIdentity = HttpContext.User.Identity as WindowsIdentity;

    // get all Group-Sids, the current users belongs to.
    var lSids = lIdentity.Groups;

The group Built-in Administrators (SID S-1-5-32-544) is not listed in lSids.

But when I use the cmd whoami /groups on the same user, it shows the SID S-1-5-32-544.

How can I find out in my MVC4, if an logged-in user belongs to the Build-In Administrators group.

Simon
  • 4,157
  • 2
  • 46
  • 87
  • Are you running the program elevated, i.e., using "run as admin"? If not, the problem is probably that `.Groups` is returning only enabled groups rather than all groups, whereas `whoami` might well include disabled groups. – Harry Johnston Jan 31 '15 at 02:01
  • @Harry Johnston: Thank you very much for your answer. I am running an Web App via the IIS. How can I check if the process is running elevated? – Simon Feb 02 '15 at 07:26
  • Oh, a web app. Sorry, I hadn't noticed that. You're looking at the context in which the client authenticated, not your own context ... I'm not sure how that works with regards to elevation. Regardless, one solution would be to P/Invoke out to GetTokenInformation() with the `TokenGroups` option. – Harry Johnston Feb 02 '15 at 20:21

1 Answers1

0

You can achieve that by accessing Claims instead of Groups.

Here is how to do that:

var claims = lIdentity.Claims;
var claimSids = claims.Select(claim => claim.Value).ToList();
Just Shadow
  • 10,860
  • 6
  • 57
  • 75