Scott Hanselman

browse by category or date

How to Determine if a User is a Local Administrator with PowerShell

July 04, 2007 Comment on this post [13] Posted in PowerShell
Sponsored By

I truly must be losing it, but my intern and I fought with this simple task for at least 15 minutes today and it REALLY shouldn't be this hard.

Anyway, this is what we came up with to figure out if a user is a Local Administrator. It's not very "terse" PowerShell because the goal is (trying to) teach him so there's temporary variables.

$userToFind = $args[0] 
$administratorsAccount = Get-WmiObject Win32_Group -filter "LocalAccount=True AND SID='S-1-5-32-544'" 
$administratorQuery = "GroupComponent = `"Win32_Group.Domain='" + $administratorsAccount.Domain + "',NAME='" + $administratorsAccount.Name + "'`"" 
$user = Get-WmiObject Win32_GroupUser -filter $administratorQuery | select PartComponent |where {$_ -match $userToFind} 
$user
I Googled all over and thought about a number of ways this could be done, but this turned out to be the easiest. I'm interested if you have hit this before also and what you came up with.

Nonte that SID value for the Administrators group is a "Magic Number" that's hardcoded, but we get around that because it's always been that way and can never change. Instead I call it a "Well-Known Value" and sleep better at night.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Hosting By
Hosted in an Azure App Service
Comment on this post [13]
Share on Twitter or Facebook or use the
July 04, 2007 5:34
How about this:

$isAdmin = (new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole("Administrators")
Cam Soper
July 04, 2007 5:41
Oh, I'm sorry... I read that to say that you wanted to find out if the current user was a local admin. My bad.
Cam Soper
July 04, 2007 7:21
How about this?

$u = "username"; net localgroup administrators | Where {$_ -match $u}

Where "username" is, of course, the user you are looking for in the local admin group.

PowerShell Rocks!
Jonathan Walz
Jonathan Walz
July 04, 2007 8:03
I have this function, but it could be made a two liner (one if you dont need clarity)
----------------------------------------
<code>
function Check-GroupMembers{
Param([string]$group,[string]$server,[string]$user)
If(!($server)){$server = get-content env:COMPUTERNAME}
$g = [ADSI]("WinNT://$server/$group,group")
$ulist = $g.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
if($user)
{
foreach($u in $ulist)
{
if($u -eq $user){$found = $true}
}
if($found){Write-Host "User [$user] Found" -ForegroundColor green;$true}
else{Write-Host "User [$user] NOT found!" -ForegroundColor red;$false}}
else{$ulist}
}
</code>
----------------------------------------------------------

p.s. Scott.. I have a powershell Search Engine on my Blog (for future searches.) Its custom Google Engine with every Blog site I could find. You could follow this PowerShell Information Central
Brandon
July 04, 2007 20:49
Jonathan - Nice! That was actually the FIRST thing I did, then I changed it because it felt dirty...perhaps I should have just stuck with the simplest thing that worked.
Scott Hanselman
July 05, 2007 2:17
Hm, be careful about any query that looks to see if a user is in the Local Administrators group - because that won't tell you if they're an administrator - they could be an administrator by virtue of being in a domain group that's a member of the local administrators group!
Rob Little
July 05, 2007 14:05
Great entry, great comments.

But there's a gotcha in wait for the unwary (like me)

net localgroup administrators | ?{$_ -eq [System.Security.Principal.WindowsIdentity]::GetCurrent().name}

works, but when I used "-match" instead of "-eg", eg

net localgroup administrators | ?{$_ -match [System.Security.Principal.WindowsIdentity]::GetCurrent().name}

it doesn't... the lesson being, beware of using "-match" on generated strings which include backslashes!
Francis Norton
July 05, 2007 18:17
Try this:

$NTPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

from the fabulous PowerShell Community Extensions project. :-)

--Greg
Greg Wojan
July 05, 2007 18:26
Oops, forgot the other important bits ;-)

$NTIdentity = [Security.Principal.WindowsIdentity]::GetCurrent()
$NTPrincipal = new-object Security.Principal.WindowsPrincipal $NTIdentity
$IsAdmin = $NTPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

Wonderful stuff!
Greg Wojan
July 05, 2007 21:58
Jonathan,

I like your approach - very simple. It's the "do it in a simple batch file and then convert it to powershell" technique. :)

Adding to what Rob Little said though, this will show if the username you specify is in that group, but won't catch principals who are members of that group, either via other groups or Domain Admins.
Matt
July 08, 2007 17:34
Yet another way

[bool](([Security.Principal.WindowsIdentity]'User').groups|?{$_.value -eq 'S-1-5-32-544'})

Greetings /\/\o\/\/
/\/\o\/\/
July 08, 2007 17:48
nicer version without sid :

$u = ([Security.Principal.WindowsIdentity]'foo')
([Security.Principal.WindowsPrincipal]$u).isinrole('Administrator')
/\/\o\/\/
July 10, 2007 2:49
Thanks MOW! A lot of great options here in the comments.
Scott Hanselman

Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.