How does System.Security.Principal.NTAccount.Translate() resolve specified user to an SID

Question

I am wondering, if there is a local user account with the specified account name would it get resolved before or after any domain account with the same name?

Answer 1

The SID resolution is done when Translate method is called,

http://msdn.microsoft.com/en-us/library/system.security.principal.ntaccount.translate.aspx.

If you use NTAccount(string) to initialize the instance, and provide an isolated name (name without domain), then the resolution is determined by the SID lookup code (if you know how to decompile) which calls to LsaLookupName2,

http://msdn.microsoft.com/en-us/library/windows/desktop/ms721798(v=vs.85).aspx

To translate isolated names

1.If the name is a well-known name, such as Local or Interactive, the function returns the corresponding well-known security identifier (SID).

2.If the name is the name of the built-in domain, the function returns the SID of that domain.

3.If the name is the name of the account domain, the function returns the SID of that domain.

4.If the name is the name of the primary domain, the function returns the SID of that domain.

5.If the name is one of the names of the trusted domain, the function returns the SID of that domain.

6.If the name is a user, group, or local group account in the built-in domain, the function returns the SID of that account.

7.If the name is a user, group, or local group account in the account domain on the local system, the function returns the SID of that account.

8.If the name is a user, group, or a local group in the primary domain, the function returns the SID of that account.

9.After looking in the primary domain, the function looks in each of the primary domain's trusted domains.

10.Otherwise, the name is not translated.

Answer 2

Your account names should be fully qualified with either BUILTIN\xxx or COMPUTERNAME\xxx or DOMAINNAME\xxx (you can also use the UPN format of [email protected]).

This would then dictate where windows would look when you try to get the SID (the local machine user/groups or the domain via LSA).

Note that the translate method does have a number of ways that it can fail. Just be prepared for it to do strange things if you lose network or the domain controller.