Erratic behavior of System.Security.WindowsPrincipal.IsInRole() method
Does System.Security.WindowsPrincipal.IsInRole() method validate the user membership recursively? I tried the following and got erratic results:
Case 1: Create a security group - SGroup1 Add - NT Authority\Authenticated Users to SGroup1. Log off and log on Call IsInRole() for the logged in user. The API return true.
Case 2: Create a security group - SGroup1 Add - Administrators to SGroup1. Log off and log on as an Administrator. 开发者_运维百科Call IsInRole() for the logged in user. The API returns false.
What am I missing?
What operating system are you running on? If you're running on Windows Vista or Windows 7 (or their Server 2008/R2 brethren), the following applies. As noted in the Note
under Remarks in the msdn documentation for WindowsPrincipal.IsInRole
(my emphasis):
In Windows Vista, User Account Control (UAC) determines the privileges of a user. If you are a member of the Built-in Administrators group, you are assigned two run-time access tokens: a standard user access token and an administrator access token. By default, you are in the standard user role. When you attempt to perform a task that requires administrative privileges, you can dynamically elevate your role by using the Consent dialog box. The code that executes the IsInRole method does not display the Consent dialog box. The code returns false if you are in the standard user role, even if you are in the Built-in Administrators group. You can elevate your privileges before you execute the code by right-clicking the application icon and indicating that you want to run as an administrator.
精彩评论