Scott Hanselman

How to Determine if a User is a Local Administrator with PowerShell

July 3, '07 Comments [13] Posted in PowerShell
Sponsored By

I truly must be losing it, but my intern and I fought with this simple task for at least 15 minutes today and it REALLY shouldn't be this hard.

Anyway, this is what we came up with to figure out if a user is a Local Administrator. It's not very "terse" PowerShell because the goal is (trying to) teach him so there's temporary variables.

$userToFind = $args[0] 
$administratorsAccount = Get-WmiObject Win32_Group -filter "LocalAccount=True AND SID='S-1-5-32-544'"
$administratorQuery = "GroupComponent = `"Win32_Group.Domain='" + $administratorsAccount.Domain + "',NAME='" + $administratorsAccount.Name + "'`""
$user = Get-WmiObject Win32_GroupUser -filter $administratorQuery | select PartComponent |where {$_ -match $userToFind}

$user
I Googled all over and thought about a number of ways this could be done, but this turned out to be the easiest. I'm interested if you have hit this before also and what you came up with.

Nonte that SID value for the Administrators group is a "Magic Number" that's hardcoded, but we get around that because it's always been that way and can never change. Instead I call it a "Well-Known Value" and sleep better at night.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb
Wednesday, 04 July 2007 01:34:13 UTC
How about this:

$isAdmin = (new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole("Administrators")
Wednesday, 04 July 2007 01:41:22 UTC
Oh, I'm sorry... I read that to say that you wanted to find out if the current user was a local admin. My bad.
Wednesday, 04 July 2007 03:21:39 UTC
How about this?

$u = "username"; net localgroup administrators | Where {$_ -match $u}

Where "username" is, of course, the user you are looking for in the local admin group.

PowerShell Rocks!
Jonathan Walz
Wednesday, 04 July 2007 04:03:44 UTC
I have this function, but it could be made a two liner (one if you dont need clarity)
----------------------------------------
<code>
function Check-GroupMembers{
Param([string]$group,[string]$server,[string]$user)
If(!($server)){$server = get-content env:COMPUTERNAME}
$g = [ADSI]("WinNT://$server/$group,group")
$ulist = $g.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
if($user)
{
foreach($u in $ulist)
{
if($u -eq $user){$found = $true}
}
if($found){Write-Host "User [$user] Found" -ForegroundColor green;$true}
else{Write-Host "User [$user] NOT found!" -ForegroundColor red;$false}}
else{$ulist}
}
</code>
----------------------------------------------------------

p.s. Scott.. I have a powershell Search Engine on my Blog (for future searches.) Its custom Google Engine with every Blog site I could find. You could follow this PowerShell Information Central
Wednesday, 04 July 2007 16:49:19 UTC
Jonathan - Nice! That was actually the FIRST thing I did, then I changed it because it felt dirty...perhaps I should have just stuck with the simplest thing that worked.
Wednesday, 04 July 2007 22:17:59 UTC
Hm, be careful about any query that looks to see if a user is in the Local Administrators group - because that won't tell you if they're an administrator - they could be an administrator by virtue of being in a domain group that's a member of the local administrators group!
Rob Little
Thursday, 05 July 2007 10:05:16 UTC
Great entry, great comments.

But there's a gotcha in wait for the unwary (like me)

net localgroup administrators | ?{$_ -eq [System.Security.Principal.WindowsIdentity]::GetCurrent().name}

works, but when I used "-match" instead of "-eg", eg

net localgroup administrators | ?{$_ -match [System.Security.Principal.WindowsIdentity]::GetCurrent().name}

it doesn't... the lesson being, beware of using "-match" on generated strings which include backslashes!
Thursday, 05 July 2007 14:17:06 UTC
Try this:

$NTPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

from the fabulous PowerShell Community Extensions project. :-)

--Greg
Greg Wojan
Thursday, 05 July 2007 14:26:58 UTC
Oops, forgot the other important bits ;-)

$NTIdentity = [Security.Principal.WindowsIdentity]::GetCurrent()
$NTPrincipal = new-object Security.Principal.WindowsPrincipal $NTIdentity
$IsAdmin = $NTPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

Wonderful stuff!
Greg Wojan
Thursday, 05 July 2007 17:58:58 UTC
Jonathan,

I like your approach - very simple. It's the "do it in a simple batch file and then convert it to powershell" technique. :)

Adding to what Rob Little said though, this will show if the username you specify is in that group, but won't catch principals who are members of that group, either via other groups or Domain Admins.
Sunday, 08 July 2007 13:34:59 UTC
Yet another way

[bool](([Security.Principal.WindowsIdentity]'User').groups|?{$_.value -eq 'S-1-5-32-544'})

Greetings /\/\o\/\/
Sunday, 08 July 2007 13:48:03 UTC
nicer version without sid :

$u = ([Security.Principal.WindowsIdentity]'foo')
([Security.Principal.WindowsPrincipal]$u).isinrole('Administrator')
Monday, 09 July 2007 22:49:03 UTC
Thanks MOW! A lot of great options here in the comments.
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.