Scott Hanselman's Computer Zen - How to Determine if a User is a Local Administrator with PowerShell

First time here? Check out the site's "greatest hits" or read a post from the archives. Feel free to leave a comment or ask a question, and consider subscribing to the latest posts via RSS or e-mail. Thanks for visiting!

Do you Tweet? Follow me on Twitter @shanselman or learn how to use Twitter!

Latest Tweet:

« Password should not contain any special ... | Main | DasBlog2 Theme Contest »

How to Determine if a User is a Local Administrator with PowerShell

Posted 2007-07-03 04:30 PM in PowerShell.

I truly must be losing it, but my intern and I fought with this simple task for at least 15 minutes today and it REALLY shouldn't be this hard.

Anyway, this is what we came up with to figure out if a user is a Local Administrator. It's not very "terse" PowerShell because the goal is (trying to) teach him so there's temporary variables.

$userToFind = $args[0] 
$administratorsAccount = Get-WmiObject Win32_Group -filter "LocalAccount=True AND SID='S-1-5-32-544'" 
$administratorQuery = "GroupComponent = `"Win32_Group.Domain='" + $administratorsAccount.Domain + "',NAME='" + $administratorsAccount.Name + "'`"" 
$user = Get-WmiObject Win32_GroupUser -filter $administratorQuery | select PartComponent |where {$_ -match $userToFind} 
$user

I Googled all over and thought about a number of ways this could be done, but this turned out to be the easiest. I'm interested if you have hit this before also and what you came up with.

Nonte that SID value for the Administrators group is a "Magic Number" that's hardcoded, but we get around that because it's always been that way and can never change. Instead I call it a "Well-Known Value" and sleep better at night.

Tuesday, July 03, 2007 5:34:13 PM (Pacific Standard Time, UTC-08:00)

How about this:

$isAdmin = (new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole("Administrators")

Cam Soper

Tuesday, July 03, 2007 5:41:22 PM (Pacific Standard Time, UTC-08:00)

Oh, I'm sorry... I read that to say that you wanted to find out if the current user was a local admin. My bad.

Cam Soper

Tuesday, July 03, 2007 7:21:39 PM (Pacific Standard Time, UTC-08:00)

How about this?

$u = "username"; net localgroup administrators | Where {$_ -match $u}

Where "username" is, of course, the user you are looking for in the local admin group.

PowerShell Rocks!
Jonathan Walz

Jonathan Walz

Tuesday, July 03, 2007 8:03:44 PM (Pacific Standard Time, UTC-08:00)

I have this function, but it could be made a two liner (one if you dont need clarity)
----------------------------------------
<code>
function Check-GroupMembers{
Param([string]$group,[string]$server,[string]$user)
If(!($server)){$server = get-content env:COMPUTERNAME}
$g = [ADSI]("WinNT://$server/$group,group")
$ulist = $g.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
if($user)
{
foreach($u in $ulist)
{
if($u -eq $user){$found = $true}
}
if($found){Write-Host "User [$user] Found" -ForegroundColor green;$true}
else{Write-Host "User [$user] NOT found!" -ForegroundColor red;$false}}
else{$ulist}
}
</code>
----------------------------------------------------------

p.s. Scott.. I have a powershell Search Engine on my Blog (for future searches.) Its custom Google Engine with every Blog site I could find. You could follow this PowerShell Information Central

Brandon

Wednesday, July 04, 2007 8:49:19 AM (Pacific Standard Time, UTC-08:00)

Jonathan - Nice! That was actually the FIRST thing I did, then I changed it because it felt dirty...perhaps I should have just stuck with the simplest thing that worked.

Scott Hanselman

Wednesday, July 04, 2007 2:17:59 PM (Pacific Standard Time, UTC-08:00)

Hm, be careful about any query that looks to see if a user is in the Local Administrators group - because that won't tell you if they're an administrator - they could be an administrator by virtue of being in a domain group that's a member of the local administrators group!

Rob Little

Thursday, July 05, 2007 2:05:16 AM (Pacific Standard Time, UTC-08:00)

Great entry, great comments.

But there's a gotcha in wait for the unwary (like me)

net localgroup administrators | ?{$_ -eq [System.Security.Principal.WindowsIdentity]::GetCurrent().name}

works, but when I used "-match" instead of "-eg", eg

net localgroup administrators | ?{$_ -match [System.Security.Principal.WindowsIdentity]::GetCurrent().name}

it doesn't... the lesson being, beware of using "-match" on generated strings which include backslashes!

Francis Norton

Thursday, July 05, 2007 6:17:06 AM (Pacific Standard Time, UTC-08:00)

Try this:

$NTPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

from the fabulous PowerShell Community Extensions project. :-)

--Greg

Greg Wojan

Thursday, July 05, 2007 6:26:58 AM (Pacific Standard Time, UTC-08:00)

Oops, forgot the other important bits ;-)

$NTIdentity = [Security.Principal.WindowsIdentity]::GetCurrent()
$NTPrincipal = new-object Security.Principal.WindowsPrincipal $NTIdentity
$IsAdmin = $NTPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

Wonderful stuff!

Greg Wojan

Thursday, July 05, 2007 9:58:58 AM (Pacific Standard Time, UTC-08:00)

Jonathan,

I like your approach - very simple. It's the "do it in a simple batch file and then convert it to powershell" technique. :)

Adding to what Rob Little said though, this will show if the username you specify is in that group, but won't catch principals who are members of that group, either via other groups or Domain Admins.