Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Mon, 7 Jul 2008 12:31:08 -0700,    group: microsoft.public.platformsdk.security        back       


How to enumerate Windows user accounts?    
I need to programatically generate the names and SIDs of each real human 
user of the computer. I want the EXACT same list as appears on the Windows 
Welcome screen, and I need to do this for both XP and Vista. This is for a 
consumer/home application, so I'm not interested is listing the names of 
everyone in the Windows 2003 directory. I also need to know who is an 
administrator or not. My current approach is to use WMI and enumerate 
Win32_GroupUser for both "Administrators" and "Users". I then drill down on 
each Win32_UserAccount looking for accounts where Disabled=false, SIDType=1, 
AccountType=512, Status=OK, and LocalAccount=true. This approach is close 
but no cigar. It returns the "ASP.NET" account and sometimes the account 
called "Administrator" even though neither of these names appear on the 
Windows welcome screen.

What is the secret sauce that determines if a user account appears on the 
Windows welcome screen?
Is there some way of getting this information with WMI or .net?
If not, what scary Win32 APIs do I need to use?
date: Mon, 7 Jul 2008 12:31:08 -0700   author:   Justin Magaram

Re: How to enumerate Windows user accounts?    
On Jul 7, 12:31 pm, "Justin Magaram"  wrote:
> I need to programatically generate the names and SIDs of each real human
> user of the computer. I want the EXACT same list as appears on the Windows
> Welcome screen, and I need to do this for both XP and Vista. This is for a
> consumer/home application, so I'm not interested is listing the names of
> everyone in the Windows 2003 directory. I also need to know who is an
> administrator or not. My current approach is to use WMI and enumerate
> Win32_GroupUser for both "Administrators" and "Users". I then drill down on
> each Win32_UserAccount looking for accounts where Disabled=false, SIDType=1,
> AccountType=512, Status=OK, and LocalAccount=true. This approach is close
> but no cigar. It returns the "ASP.NET" account and sometimes the account
> called "Administrator" even though neither of these names appear on the
> Windows welcome screen.
>
> What is the secret sauce that determines if a user account appears on the
> Windows welcome screen?
> Is there some way of getting this information with WMI or .net?
> If not, what scary Win32 APIs do I need to use?



Hi,

You can use the following WMI class to get the name of a user
that is logged on to the console (terminal services session):

	Win32_ComputerSystem

You can use the following APIs to test whether the current user
is a member of the Administrator's group:

	IsUserAnAdmin()

	CheckTokenMembership()

http://msdn.microsoft.com/en-us/library/aa394102(VS.85).aspx

http://msdn2.microsoft.com/en-us/library/bb776463.aspx

http://msdn2.microsoft.com/en-us/library/aa376389.aspx

http://support.microsoft.com/kb/118626/en-us

Kellie.
date: Tue, 8 Jul 2008 08:45:31 -0700 (PDT)   author:   Kellie Fitton

Re: How to enumerate Windows user accounts?    
Maybe I wasn't clear enough. I'm trying to enumerate the list of people who 
can log on at the Windows Welcome screen, not get information about someone 
who is currently logged on. So my question still is unanswered.

"Kellie Fitton"  wrote in message 
news:1c58975c-7f18-4e87-98fb-f08d7380a17f@d1g2000hsg.googlegroups.com...
On Jul 7, 12:31 pm, "Justin Magaram"  wrote:
> I need to programatically generate the names and SIDs of each real human
> user of the computer. I want the EXACT same list as appears on the Windows
> Welcome screen, and I need to do this for both XP and Vista. This is for a
> consumer/home application, so I'm not interested is listing the names of
> everyone in the Windows 2003 directory. I also need to know who is an
> administrator or not. My current approach is to use WMI and enumerate
> Win32_GroupUser for both "Administrators" and "Users". I then drill down 
> on
> each Win32_UserAccount looking for accounts where Disabled=false, 
> SIDType=1,
> AccountType=512, Status=OK, and LocalAccount=true. This approach is close
> but no cigar. It returns the "ASP.NET" account and sometimes the account
> called "Administrator" even though neither of these names appear on the
> Windows welcome screen.
>
> What is the secret sauce that determines if a user account appears on the
> Windows welcome screen?
> Is there some way of getting this information with WMI or .net?
> If not, what scary Win32 APIs do I need to use?



Hi,

You can use the following WMI class to get the name of a user
that is logged on to the console (terminal services session):

Win32_ComputerSystem

You can use the following APIs to test whether the current user
is a member of the Administrator's group:

IsUserAnAdmin()

CheckTokenMembership()

http://msdn.microsoft.com/en-us/library/aa394102(VS.85).aspx

http://msdn2.microsoft.com/en-us/library/bb776463.aspx

http://msdn2.microsoft.com/en-us/library/aa376389.aspx

http://support.microsoft.com/kb/118626/en-us

Kellie.
date: Tue, 8 Jul 2008 09:17:59 -0700   author:   Justin Magaram

Re: How to enumerate Windows user accounts?    
On Jul 8, 8:45 am, Kellie Fitton  wrote:
> On Jul 7, 12:31 pm, "Justin Magaram"  wrote:
>
>
>
>
>
> > I need to programatically generate the names and SIDs of each real human
> > user of the computer. I want the EXACT same list as appears on the Windows
> > Welcome screen, and I need to do this for both XP and Vista. This is for a
> > consumer/home application, so I'm not interested is listing the names of
> > everyone in the Windows 2003 directory. I also need to know who is an
> > administrator or not. My current approach is to use WMI and enumerate
> > Win32_GroupUser for both "Administrators" and "Users". I then drill down on
> > each Win32_UserAccount looking for accounts where Disabled=false, SIDType=1,
> > AccountType=512, Status=OK, and LocalAccount=true. This approach is close
> > but no cigar. It returns the "ASP.NET" account and sometimes the account
> > called "Administrator" even though neither of these names appear on the
> > Windows welcome screen.
>
> > What is the secret sauce that determines if a user account appears on the
> > Windows welcome screen?
> > Is there some way of getting this information with WMI or .net?
> > If not, what scary Win32 APIs do I need to use?
>
> Hi,
>
> You can use the following WMI class to get the name of a user
> that is logged on to the console (terminal services session):
>
>         Win32_ComputerSystem
>
> You can use the following APIs to test whether the current user
> is a member of the Administrator's group:
>
>         IsUserAnAdmin()
>
>         CheckTokenMembership()
>
> http://msdn.microsoft.com/en-us/library/aa394102(VS.85).aspx
>
> http://msdn2.microsoft.com/en-us/library/bb776463.aspx
>
> http://msdn2.microsoft.com/en-us/library/aa376389.aspx
>
> http://support.microsoft.com/kb/118626/en-us
>
> Kellie.- Hide quoted text -
>
> - Show quoted text -

There may be something in the registry that is used directly by GINA,
but failing to find that, you should be able to use the SIDs listed in
HKEY_USERS. This is a list of every user that has interactively logged
on to the computer and had a profile loaded. You'll probably have to
parse this list and filter out a few built-in accounts that you don't
want to display. The Windows code that shows the list probably does
filtering as well, so you likely aren't going to find a list that
matches your exact requirements.

HTH,
Dave
date: Wed, 9 Jul 2008 07:38:29 -0700 (PDT)   author:   DaveMo

Re: How to enumerate Windows user accounts?    
> Maybe I wasn't clear enough. I'm trying to enumerate the list of people 
> who can log on at the Windows Welcome screen, not get information about 
> someone who is currently logged on. So my question still is unanswered.

I don't know how MSFT does it but I doubt it's documented. In any case, I'm 
not sure what WMI or .NET have to offer but take a look at "NetUserEnum()" 
or "NetQueryDisplayInformation()" in the WinAPI for starters. Also check out 
"LsaEnumerateAccountsWithUserRight()" though this will be more difficult to 
work with since it's lower-level. You'll also have to dig into other 
functions since it only returns the account SIDs. There may be easier 
(higher-level) ways of getting at this info but I suspect you won't find 
exactly what you're looking for. That is, you can't distinguish between 
human accounts and other types of accounts you see in the control panel. 
You'll probably have to rely on some sort of heuristics to accomplish your 
task (filtering out some well-known accounts for instance). If you elaborate 
on what you're doing however then you may get better help.
date: Thu, 10 Jul 2008 20:00:25 -0400   author:   Larry Smith

Re: How to enumerate Windows user accounts?    
i suspect the answer is that the list of accounts is those with a privilege 
to "log on interactively/locally". at this point i'm manually filtering out 
"asp.net". i will look at netuserenum but every time i've tried using those 
Win32 APIs it is very very painful and takes forever; i much prefer using 
.net.

"Larry Smith"  wrote in message 
news:enTjiku4IHA.3784@TK2MSFTNGP06.phx.gbl...
>> Maybe I wasn't clear enough. I'm trying to enumerate the list of people 
>> who can log on at the Windows Welcome screen, not get information about 
>> someone who is currently logged on. So my question still is unanswered.
>
> I don't know how MSFT does it but I doubt it's documented. In any case, 
> I'm not sure what WMI or .NET have to offer but take a look at 
> "NetUserEnum()" or "NetQueryDisplayInformation()" in the WinAPI for 
> starters. Also check out "LsaEnumerateAccountsWithUserRight()" though this 
> will be more difficult to work with since it's lower-level. You'll also 
> have to dig into other functions since it only returns the account SIDs. 
> There may be easier (higher-level) ways of getting at this info but I 
> suspect you won't find exactly what you're looking for. That is, you can't 
> distinguish between human accounts and other types of accounts you see in 
> the control panel. You'll probably have to rely on some sort of heuristics 
> to accomplish your task (filtering out some well-known accounts for 
> instance). If you elaborate on what you're doing however then you may get 
> better help.
>
date: Sun, 13 Jul 2008 23:31:35 -0700   author:   Justin Magaram

Re: How to enumerate Windows user accounts?    
>i suspect the answer is that the list of accounts is those with a privilege 
>to "log on interactively/locally".

Unfortunately it's not that simple. Like all privileges (logon right in this 
case), the "privilege" you're referring to ("SeInteractiveLogonRight") can 
be applied to any group as well as user. For instance, you'll normally find 
the administrator's group has it, the power users group, users group, 
etc.(not sure if this has changed any on Vista). This means for instance 
that all administrators have it but not all administators are humans. Many 
types of programs will install accounts for specialized purposes (SQL for 
instance) and these are typically members of the administrators group. You 
don't want these showing up presumably. Even for non-admin accounts, what 
about the "Guest" group for instance. In any case, while I haven't checked, 
real human accounts probably don't have this right explicitly assigned in 
most cases. They likely pick it up from one of these groups (as they do all 
group privileges).

> "asp.net". i will look at netuserenum but every time i've tried using 
> those Win32 APIs it is very very painful and takes forever; i much prefer 
> using .net.

ASPNET is just one. There are other IIS accounts as well such as the 
well-known "IUSR_<YourComputerName>". I do agree however that there are 
definitely easier functions around (outside the WinAPI). If you don't have a 
strong background in the WinAPI or security in general then relying on the 
WinAPI is even more painful. If you keep digging however then you may just 
find some higher-level function or documented registry setting perhaps. I'm 
skeptical in the latter case but for the former it seems more likely this 
will be in the WinAPI than .NET (or even WMI for that matter). I wouldn't 
rule them out but ultimately you may have to rely on the WinAPI though there 
may in fact be some other easier functions even in that domain. If not then 
stick with .NET or WMI if it gives you what you need (which you haven't 
elaborated on BTW).
date: Mon, 14 Jul 2008 09:48:56 -0400   author:   Larry Smith

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us