考慮以下規則: https://support.microsoft.com/hr-ba/help/297951 […]
考慮以下規則:
https://support.microsoft.com/hr-ba/help/297951/how-to-use-the-primarygroupid-attribute-to-find-the-primary-group-for
(1) The SID for a group/user consists of the domain's relative identifier (RID) plus the RID of the group/user.
For example if the SID for this user is S-1-111-222-333-efg, the RID for this user is "efg" and the domain's RID is S-1-111-222-333.
(2) The PrimaryGroupID attribute on a user/group object holds the RID of the primary group.
(3) A user's primary group must be a group that exists in the user's primary domain.
(4) The SID for the primary group can be built by concatenating the domain RID with the primaryGroupID attribute of the user object.
For example, the domain RID could be S-1-111-222-333 and the value of the primarygroupID could be abc.
The SID of the primary group would then be S-1-111-222-333-abc.
思路如下:
取得 UserObject
https://stackoverflow.com/questions/8591789/how-to-get-the-iads-interface-of-an-active-directory-user
https://docs.microsoft.com/zh-tw/windows/win32/api/iads/nf-iads-idirectorysearch-executesearch?redirectedfrom=MSDN
https://docs.microsoft.com/zh-tw/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN
使用 IADs::Get
https://docs.microsoft.com/zh-tw/windows/win32/api/iads/nf-iads-iads-get
https://docs.microsoft.com/en-us/windows/win32/adsi/example-code-for-reading-attributes
取得 primaryGroupID (Primary-Group-ID) 4 bytes
https://docs.microsoft.com/en-us/windows/win32/adschema/a-primarygroupid
列舉網域中的所有 Group
(省略)
從 Group 中
https://docs.microsoft.com/en-us/windows/win32/adschema/c-group#windows-server-2012
取出 objectSid (Object-Sid) 進行比對
https://docs.microsoft.com/en-us/windows/win32/adschema/a-objectsid
SID 結構定義:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f992ad60-0fe4-4b87-9fed-beb478836861
利用 ConvertSidToStringSidA 從 SID 解析出 SID 格式化字串
利用 GetSidSubAuthority 從 SID 取得 RID