使用Python检查任意用户是否在管理员组中 [英] Check if an arbitrary user is in Administrator Group with Python

问题描述

是否可以检查管理员组中是否有任何给定用户？

Is there a way to check if any given user is in the Administrator's Group?

我知道如何检查当前用户是使用以下命令的管理员：

I know how to check if the current user is an admin using:

import ctypes
print ctypes.windll.shell32.IsUserAnAdmin()

但是，如果我以userA身份登录，我想知道userZed是否具有管理员权限。

However if I'm logged in as userA, I want to know if userZed has admin privileges.

任何指针或建议都会有所帮助，看来我无法找到ctypes.windll.shell32上的任何文档。

Any pointers or suggestions would help, it seems I can't track down any documentation on ctypes.windll.shell32.

推荐答案

这是一个提供此代码的网站：

Here is a website with code to do this:

http://skippylovesmalorie.wordpress.com/tag/python-windows/

我对其进行了测试，有用。可以如下使用，请注意字符串必须为Unicode或登录将失败：

I tested it and it works. Can be used as follows, note that the strings HAVE to be unicode or the login will fail:

Python 2.7：

Python 2.7:

print(user_is_admin(u"johndoe", u"password123", u"MYDOMAIN"))

Python 3.x：

Python 3.x:

print(user_is_admin("johndoe", "password123", "MYDOMAIN"))

下面是代码，以供将来参考：

Here's the code, for future reference:

import ctypes
import ctypes.wintypes

def current_user_is_admin():
    return user_token_is_admin(0)

def user_is_admin(username, password, domain=None):
    """note that username, password, and domain should all be unicode"""

    LOGON32_LOGON_NETWORK = 3
    LOGON32_PROVIDER_DEFAULT = 0
    token = ctypes.wintypes.HANDLE()
    if ctypes.windll.advapi32.LogonUserW(username, domain, password,
            LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ctypes.byref(token)) == 0:
        raise Exception("user logon failed")

    try:
        return user_token_is_admin(token)
    finally:
        ctypes.windll.kernel32.CloseHandle(token)


def user_token_is_admin(user_token):
    """
    using the win32 api, determine if the user with token user_token has administrator rights
    """
    class SID_IDENTIFIER_AUTHORITY(ctypes.Structure):
        _fields_ = [
            ("byte0", ctypes.c_byte),
            ("byte1", ctypes.c_byte),
            ("byte2", ctypes.c_byte),
            ("byte3", ctypes.c_byte),
            ("byte4", ctypes.c_byte),
            ("byte5", ctypes.c_byte),
        ]
    nt_authority = SID_IDENTIFIER_AUTHORITY()
    nt_authority.byte5 = 5

    SECURITY_BUILTIN_DOMAIN_RID = 0x20
    DOMAIN_ALIAS_RID_ADMINS = 0x220
    administrators_group = ctypes.c_void_p()
    if ctypes.windll.advapi32.AllocateAndInitializeSid(ctypes.byref(nt_authority), 2,
        SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
        0, 0, 0, 0, 0, 0, ctypes.byref(administrators_group)) == 0:
        raise Exception("AllocateAndInitializeSid failed")

    try:
        is_admin = ctypes.wintypes.BOOL()
        if ctypes.windll.advapi32.CheckTokenMembership(
                user_token, administrators_group, ctypes.byref(is_admin)) == 0:
            raise Exception("CheckTokenMembership failed")
        return is_admin.value != 0

    finally:
        ctypes.windll.advapi32.FreeSid(administrators_group)

这篇关于使用Python检查任意用户是否在管理员组中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！