Detecting system user privileges on XP OS?

[thalupularavi]

Hi All,

How to identify logged user is admin or non-admin on XP OS using Java API?

We are planning to restrict non-admin users to run desktop application(Swing app) on XP.

Any inputs will be greatly appreciated.

Thanks,
Ravi T

[FON]

This maybe?

Java Code:

System.out.println( System.getProperty("user.name") );

[thalupularavi]

Thanks FON for your quick reply.

System.out.println( System.getProperty("user.name") );

Is displays only username not role. I have to identify that user belongs to Admin group or not.

[FON]

Ok, this is about using
Java Authentication and Authorization Service (JAAS)

Here is some code and links to get you starting
I hope this will help
but you have to do further research by yourself ;)

In rt.jar that comes with your virtual machine
there is package : "com.sun.security.auth"
as SUN's impl. of JAAS

In order for this code sample to run in your IDE
be sure that u have set classpath right
(maybe you have to change your system library)

Java Code:

com.sun.security.auth.module.NTSystem NTSystem = new com.sun.security.auth.module.NTSystem();
			
			System.out.println(NTSystem.getName());
			System.out.println(NTSystem.getDomain());
			
			System.out.println(NTSystem.getDomainSID());
			
			System.out.println(NTSystem.getImpersonationToken());
			System.out.println(NTSystem.getPrimaryGroupID());
			System.out.println(NTSystem.getUserSID());
			System.out.println(NTSystem.getGroupIDs());

Output is:

Java Code:

dren
JAVAMACHINE
S-1-5-21-299502267-220523388-725345543
3696
S-1-5-21-299502267-220523388-725345543-513
S-1-5-21-299502267-220523388-725345543-1003
[Ljava.lang.String;@19821f

Now those S-1-5 are security identifiers
which maybe could help you resolve issuse like user groups and permissions.

Here is link for their meaning:

Well-known security identifiers in Windows operating systems

I don't know if this is good approach
but at least it will give you some ideas :)

cheers!

[thalupularavi]

Hi FON,

Thanks a lot for the information. It is helpful.

I have came across another solution is implementing Windows API. But for that we have to use Jnative or JNI API.

Our current application is already using Jnative API. Looking for an example to implement CheckTokenMembership() using Jnative API.

I know that this not right forum to post Jnative related questions.

CheckTokenMembership Function (Windows)

-Ravi T

[FON]

Hi FON,


I know that this not right forum to post Jnative related questions.


-Ravi T

Well in this context i believe it is right place.
Don't hesitate to post your solution at the end of your research
I'm pretty sure the are people here how would like to know solution
for this interesting problem.

A question for you:
are those SID's in link I posted enough to solve your problem,
or to be more precise :

if in my code I check some user's SID and that SID IS NOT type.. :

SID: S-1-5-21domain-500
Name: Administrator
Description: A user account for the system administrator. By default, it is the only user account that is given full control over the system.


...is it good enough to restrict this user?

thanx for your answer in advance!

good luck!

[thalupularavi]

Hi FON,

Thanks a lot for your support.

I'm planning to user following SID to detect admin rights. Please see the description, i.e every domain admin group also part of this group. Considering this group for validation.

I have tested on multiple XP systems. It is as it expected.


SID: S-1-5-32-544
Name: Administrators
Description: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.


public static boolean isAdmin()
{

com.sun.security.auth.module.NTSystem NTSystem = new com.sun.security.auth.module.NTSystem();
String groups[] = NTSystem.getGroupIDs();
for(String group : groups)
{
if( group.equals("S-1-5-32-544"))
return true;
}
return false;

}

[FON]

Hi thalupularavi,

you are very welcome,
I'm so glad you find a solution for your problem.

A lot of people start some Thread, post their problem, and after some time
they just leave it like that, so thread stays useless.

So thank you very much for sharing final solution with us
that's what forum should be about.

It takes time and lot of machines to test the solution for this sort of problem, I hope your tests end well and that check of
SID: S-1-5-32-544 is good enough for this purpose.

hope to hear more from your in coming days

cheers :)