When working with the access rules returned by
GetAccessRules(True, True, GetType(System.Security.Principal.NTAccount))
how can I tell if the NTAccount object referenced in each rule is a user account or a group?
Update:
I was able to solve this as follows. Note, the intent of this code is to return True if the NTAccount is a group, and False otherwise or if an error occurs during checking.
Is there a better way to do this?
Public Function IsGroup(ByVal account As NTAccount) as Boolean
Dim samAccountName as string = account.Value
Dim accountNameParts() As String = samAccountName.Split("\")
If accountNameParts.Count() = 2 Then
Dim principalContext As PrincipalContext
Try
principalContext = New PrincipalContext(ContextType.Domain, accountNameParts(0))
Catch
Try
principalContext = New PrincipalContext(ContextType.Machine, accountNameParts(0))
Catch
principalContext = Nothing
End Try
End Try
If Not principalContext Is Nothing Then
Dim principal As Principal
principal = principal.FindByIdentity(principalContext, _samAccountName)
If Not principal Is Nothing then
return TypeOf principal Is GroupPrincipal
End If
End If
End If
Return False
End Function
Another update:
The above solution was okay for most server\account objects, but it fails for local group objects on the EMC Celerra NAS servers we have. I'm trying to use the NetUserGetInfo/NetLocalGroupGetInfo Win API calls to see if that will work, but I can't get them to work properly. See http://stackoverflow.com/questions/3663571/netusergetinfo-netlocalgroupgetinfo-returning-error-1722 for more details.