none
Determining if a VMEntry is a built in object RRS feed

  • Question

  • When my extension is being called, is it possible to determine if the object represents a built in object?

    "Domain Admins" for example

    Thank you,

    David


    David Downing


    Sunday, November 13, 2016 6:15 PM

Answers

  • Hi David,

    For Domain Admins, short of looking at the sAMAccountName or displayName which could be changed, the only other way I know would be to look at the objectSID S-1-5-21-domain-512, where domain is your unique domain identifier.

    Take note that there is a difference between the various default groups. Some default groups are considered predefined groups, like Domain Admins, Domain Users, Domain Guests, Enterprise Admins, etc (see reference)... and you would need to look at the well known SID identifiers.  Another kind of default group, built-in, are the Account Operators, Administrators, Print Operators, etc (see reference)... and those you could look at the groupType like this:

    const long BUILTIN_LOCAL_GROUP = 0x00000001;

    long groupType = csentry["groupType"].IntegerValue;

    if (Convert.ToBoolean(groupType & BUILTIN_LOCAL_GROUP))

    { // This is a Built-in group do something... }

    else

    { // Not a Built-in group do something...} 

    References:

    Default User Accounts and Groups

    Well-known security identifiers in Windows Operating Systems

    Hope that helps,

    Best,

    Jeff Ingalls

    • Marked as answer by Dave Downing Monday, February 6, 2017 6:10 PM
    Wednesday, November 16, 2016 3:18 AM

All replies

  • Hi David,

    There are only 13 objects in the default MIM schema:

    computer
    detectedRuleEntry
    domain
    expectedRuleEntry
    function
    group
    locality
    organization
    organizationalUnit
    person
    printer
    role
    synchronizationRule

    You could perform a check to see if the object is one of those 13 object types.

    See also MIM 2016 Schema

    Best,

    Jeff Ingalls

    Monday, November 14, 2016 1:40 AM
  • Sorry Jeff, I meant to say built in objects like "Domain Admins".

    David Downing

    Monday, November 14, 2016 5:12 PM
  • Hi David,

    For Domain Admins, short of looking at the sAMAccountName or displayName which could be changed, the only other way I know would be to look at the objectSID S-1-5-21-domain-512, where domain is your unique domain identifier.

    Take note that there is a difference between the various default groups. Some default groups are considered predefined groups, like Domain Admins, Domain Users, Domain Guests, Enterprise Admins, etc (see reference)... and you would need to look at the well known SID identifiers.  Another kind of default group, built-in, are the Account Operators, Administrators, Print Operators, etc (see reference)... and those you could look at the groupType like this:

    const long BUILTIN_LOCAL_GROUP = 0x00000001;

    long groupType = csentry["groupType"].IntegerValue;

    if (Convert.ToBoolean(groupType & BUILTIN_LOCAL_GROUP))

    { // This is a Built-in group do something... }

    else

    { // Not a Built-in group do something...} 

    References:

    Default User Accounts and Groups

    Well-known security identifiers in Windows Operating Systems

    Hope that helps,

    Best,

    Jeff Ingalls

    • Marked as answer by Dave Downing Monday, February 6, 2017 6:10 PM
    Wednesday, November 16, 2016 3:18 AM