System.Security.Principal.Windows

Provides a safe handle to a Windows thread or process access token. For more information, see Access Tokens.

Initializes a new instance of the class.

An object that represents the pre-existing handle to use. Using returns an invalid handle.

Returns an invalid handle by instantiating a object with .

Returns a object.

Gets a value that indicates whether the handle is invalid.

if the handle is not valid; otherwise, .

Represents an exception for a principal whose identity could not be mapped to a known identity.

Initializes a new instance of the class.

Initializes a new instance of the class by using the specified error message.

The error message that explains the reason for the exception.

Initializes a new instance of the class by using the specified error message and inner exception.

The error message that explains the reason for the exception. The exception that is the cause of the current exception. If is not null, the current exception is raised in a block that handles the inner exception.

Gets serialization information with the data needed to create an instance of this object.

The object that holds the serialized object data about the exception being thrown. The object that contains contextual information about the source or destination.

Represents the collection of unmapped identities for an exception.

The collection of unmapped identities.

Represents an identity and is the base class for the and classes. This class does not provide a public constructor, and therefore cannot be inherited.

Returns a value that indicates whether the specified object equals this instance of the class.

An object to compare with this instance, or a null reference. if is an object with the same underlying type and value as this instance; otherwise, .

Serves as a hash function for . is suitable for use in hashing algorithms and data structures like a hash table.

The hash code for this object.

Returns a value that indicates whether the specified type is a valid translation type for the class.

The type being queried for validity to serve as a conversion from . The following target types are valid: if is a valid translation type for the class; otherwise, .

Compares two objects to determine whether they are equal. They are considered equal if they have the same canonical name representation as the one returned by the property or if they are both .

The left operand to use for the equality comparison. This parameter can be . The right operand to use for the equality comparison. This parameter can be . if and are equal; otherwise, .

Compares two objects to determine whether they are not equal. They are considered not equal if they have different canonical name representations than the one returned by the property or if one of the objects is and the other is not.

The left operand to use for the inequality comparison. This parameter can be . The right operand to use for the inequality comparison. This parameter can be . if and are not equal; otherwise, .

Returns the string representation of the identity represented by the object.

The identity in string format.

Translates the account name represented by the object into another -derived type.

The target type for the conversion from . The converted identity.

Gets the string value of the identity represented by the object.

The string value of the identity represented by the object.

Represents a collection of objects and provides a means of converting sets of -derived objects to -derived types.

Initializes a new instance of the class with zero items in the collection.

Initializes a new instance of the class by using the specified initial size.

The initial number of items in the collection. The value of is a hint only; it is not necessarily the maximum number of items created.

Adds an object to the collection.

The object to add to the collection. is .

Clears all objects from the collection.

Indicates whether the collection contains the specified object.

The object to check for. is . if the collection contains the specified object.

Copies the collection to an array, starting at the specified index.

An array object to which the collection is to be copied. The zero-based index in where the collection is to be copied.

Gets an enumerator that can be used to iterate through the collection.

An enumerator for the collection.

Removes the specified object from the collection.

The object to remove. is . if the specified object was removed from the collection.

Gets an enumerator that can be used to iterate through the collection.

An enumerator for the collection.

Converts the objects in the collection to the specified type. Calling this method is the same as calling with the second parameter set to , which means that exceptions will not be thrown for items that fail conversion.

The type to which items in the collection are being converted. A collection that represents the converted contents of the original collection.

Converts the objects in the collection to the specified type and uses the specified fault tolerance to handle or ignore errors associated with a type not having a conversion mapping.

The type to which items in the collection are being converted. A Boolean value that determines how conversion errors are handled. If is , conversion errors due to a mapping not being found for the translation result in a failed conversion and exceptions being thrown. If is , types that failed to convert due to a mapping not being found for the translation are copied without being converted into the collection being returned. A collection that represents the converted contents of the original collection.

Gets the number of items in the collection.

The number of objects in the collection.

Gets or sets the node at the specified index of the collection.

The zero-based index in the collection. The at the specified index in the collection. If is greater than or equal to the number of nodes in the collection, the return value is .

Gets a value indicating whether the is read-only.

if the is read-only; otherwise, .

Represents a user or group account.

Initializes a new instance of the class by using the specified name.

The name used to create the object. This parameter cannot be or an empty string. is . is an empty string. -or- is too long.

Initializes a new instance of the class by using the specified domain name and account name.

The name of the domain. This parameter can be or an empty string. Domain names that are null values are treated like an empty string. The name of the account. This parameter cannot be or an empty string. is . is an empty string. -or- is too long. -or- is too long.

Returns a value that indicates whether this object is equal to a specified object.

An object to compare with this object, or . if is an object with the same underlying type and value as this object; otherwise, .

Serves as a hash function for the current object. The method is suitable for hashing algorithms and data structures like a hash table.

A hash value for the current object.

Returns a value that indicates whether the specified type is a valid translation type for the class.

The type being queried for validity to serve as a conversion from . The following target types are valid: - - if is a valid translation type for the class; otherwise .

Compares two objects to determine whether they are equal. They are considered equal if they have the same canonical name representation as the one returned by the property or if they are both .

The left operand to use for the equality comparison. This parameter can be . The right operand to use for the equality comparison. This parameter can be . if and are equal; otherwise .

Compares two objects to determine whether they are not equal. They are considered not equal if they have different canonical name representations than the one returned by the property or if one of the objects is and the other is not.

The left operand to use for the inequality comparison. This parameter can be . The right operand to use for the inequality comparison. This parameter can be . if and are not equal; otherwise .

Returns the account name, in Domain \ Account format, for the account represented by the object.

The account name, in Domain \ Account format.

Translates the account name represented by the object into another -derived type.

The target type for the conversion from . The target type must be a type that is considered valid by the method. is . is not an type. Some or all identity references could not be translated. The source account name is too long. -or- A Win32 error code was returned. The converted identity.

Returns a string representation of this object.

The string representation of this object.

Represents a security identifier (SID) and provides marshaling and comparison operations for SIDs.

Returns the maximum size, in bytes, of the binary representation of the security identifier.

Returns the minimum size, in bytes, of the binary representation of the security identifier.

Initializes a new instance of the class by using a specified binary representation of a security identifier (SID).

The byte array that represents the SID. The byte offset to use as the starting index in .

Initializes a new instance of the class by using an integer that represents the binary form of a security identifier (SID).

An integer that represents the binary form of a SID.

Initializes a new instance of the class by using the specified well known security identifier (SID) type and domain SID.

One of the enumeration values. This value must not be . The domain SID. This value is required for the following values. This parameter is ignored for any other values. - - - - - - - - - - - - -

Initializes a new instance of the class by using the specified security identifier (SID) in Security Descriptor Definition Language (SDDL) format.

SDDL string for the SID used to create the object.

Compares the current object with the specified object.

The object to compare with the current object. A signed number indicating the relative values of this instance and . Return Value Description Less than zero This instance is less than . Zero This instance is equal to . Greater than zero This instance is greater than .

Returns a value that indicates whether this object is equal to a specified object.

An object to compare with this object, or . if is an object with the same underlying type and value as this object; otherwise, .

Indicates whether the specified object is equal to the current object.

The object to compare with the current object. if the value of is equal to the value of the current object.

Copies the binary representation of the specified security identifier (SID) represented by the class to a byte array.

The byte array to receive the copied SID. The byte offset to use as the starting index in .

Serves as a hash function for the current object. The method is suitable for hashing algorithms and data structures like a hash table.

A hash value for the current object.

Returns a value that indicates whether the security identifier (SID) represented by this object is a valid Windows account SID.

if the SID represented by this object is a valid Windows account SID; otherwise, .

Returns a value that indicates whether the security identifier (SID) represented by this object is from the same domain as the specified SID.

The SID to compare with this object. if the SID represented by this object is in the same domain as the SID; otherwise, .

Returns a value that indicates whether the specified type is a valid translation type for the class.

The type being queried for validity to serve as a conversion from . The following target types are valid: - - if is a valid translation type for the class; otherwise, .

Returns a value that indicates whether the object matches the specified well known security identifier (SID) type.

A value to compare with the object. if is the SID type for the object; otherwise, .

Compares two objects to determine whether they are equal. They are considered equal if they have the same canonical representation as the one returned by the property or if they are both .

The left operand to use for the equality comparison. This parameter can be . The right operand to use for the equality comparison. This parameter can be . if and are equal; otherwise, .

Compares two objects to determine whether they are not equal. They are considered not equal if they have different canonical name representations than the one returned by the property or if one of the objects is and the other is not.

The left operand to use for the inequality comparison. This parameter can be . The right operand to use for the inequality comparison. This parameter can be . if and are not equal; otherwise, .

Returns the security identifier (SID), in Security Descriptor Definition Language (SDDL) format, for the account represented by the object. An example of the SDDL format is S-1-5-9.

The SID, in SDDL format, for the account represented by the object.

Translates the account name represented by the object into another -derived type.

The target type for the conversion from . The target type must be a type that is considered valid by the method. is . is not an type. Some or all identity references could not be translated. A Win32 error code was returned. The converted identity.

Returns the account domain security identifier (SID) portion from the SID represented by the object if the SID represents a Windows account SID. If the SID does not represent a Windows account SID, this property returns .

The account domain SID portion from the SID represented by the object if the SID represents a Windows account SID; otherwise, it returns .

Returns the length, in bytes, of the security identifier (SID) represented by the object.

The length, in bytes, of the SID represented by the object.

Returns an uppercase Security Descriptor Definition Language (SDDL) string for the security identifier (SID) represented by this object.

An uppercase SDDL string for the SID represented by the object.

Defines the privileges of the user account associated with the access token.

The user can change the default owner, primary group, or discretionary access control list (DACL) of the token.

The user can change the attributes of the groups in the token.

The user can enable or disable privileges in the token.

The user can adjust the session identifier of the token.

The user has all possible access to the token.

The user can attach a primary token to a process.

The user can duplicate the token.

The user can impersonate a client.

The maximum value that can be assigned for the enumeration.

The user can query the token.

The user can query the source of the token.

The user has standard read rights and the privilege for the token.

The user has standard write rights and the , and privileges for the token.

Defines a set of commonly used security identifiers (SIDs).

Indicates a SID that matches the account administrators group.

Indicates a SID that matches the certificate administrators group.

Indicates a SID that matches the account computer group.

Indicates a SID that matches the account controller group.

Indicates a SID that matches the account domain administrator group.

Indicates a SID that matches the account domain guests group.

Indicates a SID that matches the account domain users group.

Indicates a SID that matches the enterprise administrators group.

Indicates a SID that matches the account guest group.

Indicates a SID that matches the account Kerberos target group.

Indicates a SID that matches the policy administrators group.

Indicates a SID that matches the RAS and IAS server account.

Indicates a SID that matches the schema administrators group.

Indicates a SID for the anonymous account.

Indicates a SID for an authenticated user.

Indicates a SID for a batch process. This SID is added to the process of a token when it logs on as a batch job.

Indicates a SID that matches the account operators account.

Indicates a SID that matches the administrator account.

Indicates a SID that matches the Windows Authorization Access group.

Indicates a SID that matches the backup operators group.

Indicates a SID that matches the domain account.

Indicates a SID that matches the guest account.

Indicates a SID that allows a user to create incoming forest trusts. It is added to the token of users who are a member of the Incoming Forest Trust Builders built-in group in the root domain of the forest.

Indicates a SID that matches the network operators group.

Indicates a SID that matches the group of users that have remote access to monitor the computer.

Indicates a SID that matches the group of users that have remote access to schedule logging of performance counters on this computer.

Indicates a SID that matches the power users group.

Indicates a SID that matches pre-Windows 2000 compatible accounts.

Indicates a SID that matches the print operators group.

Indicates a SID that matches remote desktop users.

Indicates a SID that matches the replicator account.

Indicates a SID that matches the system operators group.

Indicates a SID that matches built-in user accounts.

Indicates a creator group server SID.

Indicates a SID that matches the creator group of an object.

Indicates a creator owner server SID.

Indicates a SID that matches the owner or creator of an object.

Indicates a SID for a dial-up account.

Indicates a SID present when the Microsoft Digest authentication package authenticated the client.

Indicates a SID for an enterprise controller.

Indicates a SID for an interactive account. This SID is added to the process of a token when it logs on interactively.

Indicates a SID that matches a local service.

Indicates a local SID.

Indicates a SID that matches the local system.

Indicates a SID that matches logon IDs.

Indicates the maximum defined SID in the enumeration.

Indicates a SID that matches a network service.

Indicates a SID for a network account. This SID is added to the process of a token when it logs on across a network.

Indicates a SID for the Windows NT authority.

Indicates a SID present when the Microsoft NTLM authentication package authenticated the client.

Indicates a null SID.

Indicates a SID present when the user authenticated across a forest with the selective authentication option enabled. If this SID is present, then cannot be present.

Indicates a proxy SID.

Indicates a SID that matches remote logons.

Indicates a SID for restricted code.

Indicates a SID present when the Secure Channel (SSL/TLS) authentication package authenticated the client.

Indicates a SID for self.

Indicates a SID for a service. This SID is added to the process of a token when it logs on as a service.

Indicates a SID that matches a terminal server account.

Indicates a SID present when the user authenticated from within the forest or across a trust that does not have the selective authentication option enabled. If this SID is present, then cannot be present.

Indicates a SID that matches an account read-only controllers group.

Indicates a SID that matches the application package authority.

Indicates a SID that applies to all app containers.

Indicates a SID that matches the built-in DCOM certification services access group.

Indicates a SID that allows a user to use cryptographic operations. It is added to the token of users who are a member of the CryptoOperators built-in group.

Indicates a SID that matches the distributed COM user group.

Indicates a SID that matches an event log readers group.

Indicates a SID that matches the Internet built-in user group.

Indicates a SID is present in a server that can issue Terminal Server licenses.

Indicates a SID that matches a cacheable principals group.

Indicates a SID for documents library capability for app containers.

Indicates a SID for Windows credentials capability for app containers.

Indicates a SID of Internet client and server capability for app containers.

Indicates a SID of Internet client capability for app containers.

Indicates a SID for music library capability for app containers.

Indicates a SID for pictures library capability for app containers.

Indicates a SID of private network client and server capability for app containers.

Indicates a SID for removable storage capability for app containers.

Indicates a SID for shared user certificates capability for app containers.

Indicates a SID for videos library capability for app containers.

Indicates a SID that matches a console logon group.

Indicates a SID that matches a creator and owner rights group.

Indicates a SID that matches an enterprise wide read-only controllers group.

Indicates a SID that matches a high level of trust label.

Indicates a SID that matches the Internet user group.

Indicates a SID that matches a local logon group.

Indicates a SID that matches an low level of trust label.

Indicates a SID that matches an medium level of trust label.

Indicates a SID that matches the medium plus integrity label.

Indicates a SID that matches a read-only enterprise domain controller.

Indicates a SID that matches a non-cacheable principals group.

Indicates a SID that matches a system label.

Indicates a SID that matches a certificate for the given organization.

Indicates a SID that matches an untrusted label.

Indicates a SID that matches a write restricted code group.

Indicates a SID that matches everyone.

Specifies the type of Windows account used.

An anonymous account.

A Windows guest account.

A standard user account.

A Windows system account.

Specifies common roles to be used with .

Account operators manage the user accounts on a computer or domain.

Administrators have complete and unrestricted access to the computer or domain.

Backup operators can override security restrictions for the sole purpose of backing up or restoring files.

Guests are more restricted than users.

Power users possess most administrative permissions with some restrictions. Thus, power users can run legacy applications, in addition to certified applications.

Print operators can take control of a printer.

Replicators support file replication in a domain.

System operators manage a particular computer.

Users are prevented from making accidental or intentional system-wide changes. Thus, users can run certified applications, but not most legacy applications.

Represents a Windows user.

Identifies the name of the default issuer.

Initializes a new instance of the class for the user represented by the specified Windows account token.

The account token for the user on whose behalf the code is running. is 0. -or- is duplicated and invalid for impersonation. The caller does not have the correct permissions. -or- A Win32 error occurred.

Initializes a new instance of the class for the user represented by the specified Windows account token and the specified authentication type.

The account token for the user on whose behalf the code is running. (Informational use only.) The type of authentication used to identify the user. is 0. -or- is duplicated and invalid for impersonation. The caller does not have the correct permissions. -or- A Win32 error occurred.

Initializes a new instance of the class for the user represented by the specified Windows account token, the specified authentication type, and the specified Windows account type.

The account token for the user on whose behalf the code is running. (Informational use only.) The type of authentication used to identify the user. One of the enumeration values. is 0. -or- is duplicated and invalid for impersonation. The caller does not have the correct permissions. -or- A Win32 error occurred.

Initializes a new instance of the class for the user represented by the specified Windows account token, the specified authentication type, the specified Windows account type, and the specified authentication status.

The account token for the user on whose behalf the code is running. (Informational use only.) The type of authentication used to identify the user. One of the enumeration values. to indicate that the user is authenticated; otherwise, . is 0. -or- is duplicated and invalid for impersonation. The caller does not have the correct permissions. -or- A Win32 error occurred.

Initializes a new instance of the class for the user represented by information in a stream.

The object containing the account information for the user. An object that indicates the stream characteristics. A cannot be serialized across processes. The caller does not have the correct permissions. -or- A Win32 error occurred.

Initializes a new instance of the class by using the specified object.

The object from which to construct the new instance of .

Initializes a new instance of the class for the user represented by the specified User Principal Name (UPN).

The UPN for the user on whose behalf the code is running. Windows returned the Windows NT status code STATUS_ACCESS_DENIED. There is insufficient memory available. The caller does not have the correct permissions. -or- The computer is not attached to a Windows 2003 or later domain. -or- The computer is not running Windows 2003 or later. -or- The user is not a member of the domain the computer is attached to.

Creates a new object that is a copy of the current instance.

A copy of the current instance.

Releases all resources used by the .

Releases the unmanaged resources used by the and optionally releases the managed resources.

to release both managed and unmanaged resources; to release only unmanaged resources.

Returns a object that you can use as a sentinel value in your code to represent an anonymous user. The property value does not represent the built-in anonymous identity used by the Windows operating system.

An object that represents an anonymous user.

Returns a object that represents the current Windows user.

The caller does not have the correct permissions. An object that represents the current user.

Returns a object that represents the Windows identity for either the thread or the process, depending on the value of the parameter.

to return the only if the thread is currently impersonating; to return the of the thread if it is impersonating or the of the process if the thread is not currently impersonating. An object that represents a Windows user.

Returns a object that represents the current Windows user, using the specified desired token access level.

A bitwise combination of the enumeration values. An object that represents the current user.

Runs the specified action as the impersonated Windows identity. Instead of using an impersonated method call and running your function in , you can use and provide your function directly as a parameter.

The SafeAccessTokenHandle of the impersonated Windows identity. The System.Action to run.

Runs the specified function as the impersonated Windows identity. Instead of using an impersonated method call and running your function in , you can use and provide your function directly as a parameter.

The SafeAccessTokenHandle of the impersonated Windows identity. The System.Func to run. The type of object used by and returned by the function. The result of the function.

Runs the specified asynchronous action as the impersonated Windows identity.

The handle of the impersonated Windows identity. The function to run. A task that represents the asynchronous operation of the provided .

Runs the specified asynchronous action as the impersonated Windows identity.

The handle of the impersonated Windows identity. The function to run. The type of the object to return. A task that represents the asynchronous operation of .

Implements the interface and is called back by the deserialization event when deserialization is complete.

The source of the deserialization event.

Sets the object with the logical context information needed to recreate an instance of this execution context.

An object containing the information required to serialize the . An object containing the source and destination of the serialized stream associated with the .

Gets this for this instance.

Returns a .

Gets the type of authentication used to identify the user.

Windows returned the Windows NT status code STATUS_ACCESS_DENIED. There is insufficient memory available. The caller does not have the correct permissions. -or- The computer is not attached to a Windows 2003 or later domain. -or- The computer is not running Windows 2003 or later. -or- The user is not a member of the domain the computer is attached to. The type of authentication used to identify the user.

Gets all claims for the user represented by this Windows identity.

A collection of claims for this object.

Gets claims that have the property key.

A collection of claims that have the property key.

Gets the groups the current Windows user belongs to.

An object representing the groups the current Windows user belongs to.

Gets the impersonation level for the user.

One of the enumeration values that specifies the impersonation level.

Gets a value that indicates whether the user account is identified as an anonymous account by the system.

if the user account is an anonymous account; otherwise, .

Gets a value indicating whether the user has been authenticated by Windows.

if the user was authenticated; otherwise, .

Gets a value indicating whether the user account is identified as a account by the system.

if the user account is a account; otherwise, .

Gets a value indicating whether the user account is identified as a account by the system.

if the user account is a account; otherwise, .

Gets the user's Windows logon name.

The Windows logon name of the user on whose behalf the code is being run.

Gets the security identifier (SID) for the token owner.

An object for the token owner.

Gets the Windows account token for the user.

The handle of the access token associated with the current execution thread.

Gets the security identifier (SID) for the user.

An object for the user.

Gets claims that have the property key.

A collection of claims that have the property key.

Enables code to check the Windows group membership of a Windows user.

Initializes a new instance of the class by using the specified object.

The object from which to construct the new instance of . is .

Determines whether the current principal belongs to the Windows user group with the specified relative identifier (RID).

The RID of the Windows user group in which to check for the principal's membership status. if the current principal is a member of the specified Windows user group, that is, in a particular role; otherwise, .

Determines whether the current principal belongs to the Windows user group with the specified security identifier (SID).

A that uniquely identifies a Windows user group. is . Windows returned a Win32 error. if the current principal is a member of the specified Windows user group; otherwise, .

Determines whether the current principal belongs to the Windows user group with the specified .

One of the values. is not a valid value. if the current principal is a member of the specified Windows user group; otherwise, .

Determines whether the current principal belongs to the Windows user group with the specified name.

The name of the Windows user group for which to check membership. if the current principal is a member of the specified Windows user group; otherwise, .

Gets all Windows device claims from this principal.

A collection of all Windows device claims from this principal.

Gets the identity of the current principal.

The object of the current principal.

Gets all Windows user claims from this principal.

A collection of all Windows user claims from this principal.