How to Determine if a User is a Local Administrator with PowerShell

July 3, 2007 11:30 PM Comments [13] Posted in PowerShell

I truly must be losing it, but my intern and I fought with this simple task for at least 15 minutes today and it REALLY shouldn't be this hard.

Anyway, this is what we came up with to figure out if a user is a Local Administrator. It's not very "terse" PowerShell because the goal is (trying to) teach him so there's temporary variables.

$userToFind = $args[0] 
$administratorsAccount = Get-WmiObject Win32_Group -filter "LocalAccount=True AND SID='S-1-5-32-544'" 
$administratorQuery = "GroupComponent = `"Win32_Group.Domain='" + $administratorsAccount.Domain + "',NAME='" + $administratorsAccount.Name + "'`"" 
$user = Get-WmiObject Win32_GroupUser -filter $administratorQuery | select PartComponent |where {$_ -match $userToFind} 
$user
I Googled all over and thought about a number of ways this could be done, but this turned out to be the easiest. I'm interested if you have hit this before also and what you came up with.

Nonte that SID value for the Administrators group is a "Magic Number" that's hardcoded, but we get around that because it's always been that way and can never change. Instead I call it a "Well-Known Value" and sleep better at night.

Comments [13]
« Password should not contain any special ... | Home | DasBlog2 Theme Contest »
Wednesday, July 04, 2007 1:34:13 AM UTC
How about this:

$isAdmin = (new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole("Administrators")
Cam Soper
Wednesday, July 04, 2007 1:41:22 AM UTC
Oh, I'm sorry... I read that to say that you wanted to find out if the current user was a local admin. My bad.
Cam Soper
Wednesday, July 04, 2007 3:21:39 AM UTC
How about this?

$u = "username"; net localgroup administrators | Where {$_ -match $u}

Where "username" is, of course, the user you are looking for in the local admin group.

PowerShell Rocks!
Jonathan Walz
Jonathan Walz
Wednesday, July 04, 2007 4:03:44 AM UTC
I have this function, but it could be made a two liner (one if you dont need clarity)
----------------------------------------
<code>
function Check-GroupMembers{
Param([string]$group,[string]$server,[string]$user)
If(!($server)){$server = get-content env:COMPUTERNAME}
$g = [ADSI]("WinNT://$server/$group,group")
$ulist = $g.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
if($user)
{
foreach($u in $ulist)
{
if($u -eq $user){$found = $true}
}
if($found){Write-Host "User [$user] Found" -ForegroundColor green;$true}
else{Write-Host "User [$user] NOT found!" -ForegroundColor red;$false}}
else{$ulist}
}
</code>
----------------------------------------------------------

p.s. Scott.. I have a powershell Search Engine on my Blog (for future searches.) Its custom Google Engine with every Blog site I could find. You could follow this PowerShell Information Central
Brandon
Wednesday, July 04, 2007 4:49:19 PM UTC
Jonathan - Nice! That was actually the FIRST thing I did, then I changed it because it felt dirty...perhaps I should have just stuck with the simplest thing that worked.
Scott Hanselman
Wednesday, July 04, 2007 10:17:59 PM UTC
Hm, be careful about any query that looks to see if a user is in the Local Administrators group - because that won't tell you if they're an administrator - they could be an administrator by virtue of being in a domain group that's a member of the local administrators group!
Rob Little
Thursday, July 05, 2007 10:05:16 AM UTC
Great entry, great comments.

But there's a gotcha in wait for the unwary (like me)

net localgroup administrators | ?{$_ -eq [System.Security.Principal.WindowsIdentity]::GetCurrent().name}

works, but when I used "-match" instead of "-eg", eg

net localgroup administrators | ?{$_ -match [System.Security.Principal.WindowsIdentity]::GetCurrent().name}

it doesn't... the lesson being, beware of using "-match" on generated strings which include backslashes!
Francis Norton
Thursday, July 05, 2007 2:17:06 PM UTC
Try this:

$NTPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

from the fabulous PowerShell Community Extensions project. :-)

--Greg
Greg Wojan
Thursday, July 05, 2007 2:26:58 PM UTC
Oops, forgot the other important bits ;-)

$NTIdentity = [Security.Principal.WindowsIdentity]::GetCurrent()
$NTPrincipal = new-object Security.Principal.WindowsPrincipal $NTIdentity
$IsAdmin = $NTPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

Wonderful stuff!
Greg Wojan
Thursday, July 05, 2007 5:58:58 PM UTC
Jonathan,

I like your approach - very simple. It's the "do it in a simple batch file and then convert it to powershell" technique. :)

Adding to what Rob Little said though, this will show if the username you specify is in that group, but won't catch principals who are members of that group, either via other groups or Domain Admins.
Matt
Sunday, July 08, 2007 1:34:59 PM UTC
Yet another way

[bool](([Security.Principal.WindowsIdentity]'User').groups|?{$_.value -eq 'S-1-5-32-544'})

Greetings /\/\o\/\/
/\/\o\/\/
Sunday, July 08, 2007 1:48:03 PM UTC
nicer version without sid :

$u = ([Security.Principal.WindowsIdentity]'foo')
([Security.Principal.WindowsPrincipal]$u).isinrole('Administrator')
/\/\o\/\/
Monday, July 09, 2007 10:49:03 PM UTC
Thanks MOW! A lot of great options here in the comments.
Scott Hanselman
Comments are closed.
Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer’s view in any way.