|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
05-25-2009
| #1 (permalink) |
| | Re: How to know if a user has administrative privileges Heinz wrote: Quote: > > I need to find out if the current user is an administrator. > > Looking up group-memberships seems to be one way, but if I have to follow > nested groups it will become difficult.... > Also, when using group memberships it will be language dependent > ("Administrators" is a different group in French, Spanish, German etc....) > > Another approach may be to simply try to do something that only an > administrator is allowed to do.... > Any idea what this could be and how to code it in VBS ? > > Perfect would be a solution that work withs XP,Vista and 2003. > member of any local group linked here: http://www.rlmueller.net/IsMember9.htm The program accounts for all group nesting, whether local or domain nested groups. However, you must specify the local group, so it won't handle foreign names (or if the group has been renamed). As you noted, another option is to attempt to do something requiring Administrator privileges and trap the error if it fails. However, you cannot test by writing to the registry. In Vista, W2k8, and Win7 the OS lets you believe you wrote to the registry (HKLM for example), when it fact it wrote to a virtual section visible only to you. In other cases, even if you have Administrator credentials (as a member of the local Administrators group), any attempt to do something requiring these credentials will fail unless you use the "Run as administrator" option. Even if it were to succeed, you would be prompted for permission. In a logon script this is a problem. I've recently discovered way to run programs or scripts with "Run as administrator". See this link: http://support.microsoft.com/kb/958149/EN-US However, this simply forces the UAC prompt for elevation. Again, this is probably not what you want in a logon script. In the first link above I mention the isadmin.exe utility. This is an option if it has been updated to handle Vista, W2k8, and Win7. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- |
My System Specs |
|
05-25-2009
| #2 (permalink) |
| | Re: How to know if a user has administrative privileges "Heinz" <Spacewalker4711(noSpam)@hotmail.com> wrote in message news:eAb4weX3JHA.4880@xxxxxx Quote: > Hello, > > I need to find out if the current user is an administrator. > > Looking up group-memberships seems to be one way, but if I have to follow > nested groups it will become difficult.... > Also, when using group memberships it will be language dependent > ("Administrators" is a different group in French, Spanish, German etc....) > > Another approach may be to simply try to do something that only an > administrator is allowed to do.... > Any idea what this could be and how to code it in VBS ? > > Perfect would be a solution that work withs XP,Vista and 2003. works well for me in XP is the shell out to the 'at.exe' utility: Set oWSH = CreateObject("WScript.Shell") bAdmin = CBool(oWSH.Run("at.exe", 0, True) = 0) Msgbox bAdmin If you try it in 2003 & Vista, please post back with your results. |
| My System Specs |
|
05-25-2009
| #3 (permalink) |
| | Re: How to know if a user has administrative privileges "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxx> wrote in message news:ebarM9Z3JHA.140@xxxxxx Quote: > Heinz wrote: > Quote: >> >> I need to find out if the current user is an administrator. >> >> Looking up group-memberships seems to be one way, but if I have to follow >> nested groups it will become difficult.... >> Also, when using group memberships it will be language dependent >> ("Administrators" is a different group in French, Spanish, German >> etc....) >> >> Another approach may be to simply try to do something that only an >> administrator is allowed to do.... >> Any idea what this could be and how to code it in VBS ? >> >> Perfect would be a solution that work withs XP,Vista and 2003. >> > I have an example VBScript program that checks if the current user is a > member of any local group linked here: > > http://www.rlmueller.net/IsMember9.htm > > The program accounts for all group nesting, whether local or domain nested > groups. However, you must specify the local group, so it won't handle > foreign names (or if the group has been renamed). > > As you noted, another option is to attempt to do something requiring > Administrator privileges and trap the error if it fails. However, you > cannot test by writing to the registry. In Vista, W2k8, and Win7 the OS > lets you believe you wrote to the registry (HKLM for example), when it > fact it wrote to a virtual section visible only to you. In other cases, > even if you have Administrator credentials (as a member of the local > Administrators group), any attempt to do something requiring these > credentials will fail unless you use the "Run as administrator" option. > Even if it were to succeed, you would be prompted for permission. In a > logon script this is a problem. > > I've recently discovered way to run programs or scripts with "Run as > administrator". See this link: > > http://support.microsoft.com/kb/958149/EN-US > > However, this simply forces the UAC prompt for elevation. Again, this is > probably not what you want in a logon script. > > In the first link above I mention the isadmin.exe utility. This is an > option if it has been updated to handle Vista, W2k8, and Win7. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > local Administrators group (no matter the name or language) is S-1-5-32-544. You can use the Win32_Group class of WMI to retrieve the name. See this link: http://www.microsoft.com/technet/scr...5/hey1102.mspx Then you can use the name in the program I linked to determine membership. Note one version of the code in the link requires XP or above, while another version requires NT or above (or WMI must be installed). -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- |
| My System Specs |
|
05-25-2009
| #4 (permalink) |
| | Re: How to know if a user has administrative privileges "James Whitlow" <jwhitlow.60372693@xxxxxx> wrote in message news:OxkcBNa3JHA.1092@xxxxxx Quote: > "Heinz" <Spacewalker4711(noSpam)@hotmail.com> wrote in message > news:eAb4weX3JHA.4880@xxxxxx Quote: >> Hello, >> >> I need to find out if the current user is an administrator. >> >> Looking up group-memberships seems to be one way, but if I have to follow >> nested groups it will become difficult.... >> Also, when using group memberships it will be language dependent >> ("Administrators" is a different group in French, Spanish, German >> etc....) >> >> Another approach may be to simply try to do something that only an >> administrator is allowed to do.... >> Any idea what this could be and how to code it in VBS ? >> >> Perfect would be a solution that work withs XP,Vista and 2003. > I do not know if it will work on Vista or 2003, but a simple approach > that works well for me in XP is the shell out to the 'at.exe' utility: > > Set oWSH = CreateObject("WScript.Shell") > bAdmin = CBool(oWSH.Run("at.exe", 0, True) = 0) > Msgbox bAdmin > > If you try it in 2003 & Vista, please post back with your results. > with an account that is a member of the local Administrators group. It is because of UAC (user access control). If I run at.exe at a command prompt I get the error "Access is denied". I must right click at.exe and select "Run as administrator", or start a command prompt the same way before this works. I was able to get it to work by combining the information in this link: http://support.microsoft.com/kb/958149/EN-US But there is a drawback. I am prompted to allow the program to run. I needed two scripts, one with your code and another to launch it with "RunAsAdministrator". I saved your script as "c:\scripts\LocalAdm.vbs", then ran it with the following script: ====== Set objShell = CreateObject("Shell.Application") objShell.ShellExecute "cscript.exe", "c:\Scripts\LocalAdm.vbs RunAsAdministrator", ,"runas", 1 ========= After the UAC request for permission to continue, I get the message box with "True". Next would be to figure out how to pass this information back to the original script, if the prompt is acceptable. I also tested on Windows Server 2003, XP, and Windows 2000 with the same result, although the prompt is different. There may be a way to avoid the prompt on older clients, but I doubt this would be possible on Vista and later. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- |
| My System Specs |
|
05-25-2009
| #5 (permalink) |
| | Re: How to know if a user has administrative privileges "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxx> wrote in message news:OGah$ma3JHA.140@xxxxxx Quote: > > "James Whitlow" <jwhitlow.60372693@xxxxxx> wrote in message > news:OxkcBNa3JHA.1092@xxxxxx Quote: >> Set oWSH = CreateObject("WScript.Shell") >> bAdmin = CBool(oWSH.Run("at.exe", 0, True) = 0) >> Msgbox bAdmin >> >> If you try it in 2003 & Vista, please post back with your results. >> > When I run your program I get "False" on Vista, even though I am logged in > with an account that is a member of the local Administrators group. It is > because of UAC (user access control). If I run at.exe at a command prompt > I get the error "Access is denied". I must right click at.exe and select > "Run as administrator", or start a command prompt the same way before this > works. > > I was able to get it to work by combining the information in this link: > > http://support.microsoft.com/kb/958149/EN-US > > But there is a drawback. I am prompted to allow the program to run. I > needed two scripts, one with your code and another to launch it with > "RunAsAdministrator". I saved your script as "c:\scripts\LocalAdm.vbs", > then ran it with the following script: > ====== > Set objShell = CreateObject("Shell.Application") > objShell.ShellExecute "cscript.exe", "c:\Scripts\LocalAdm.vbs > RunAsAdministrator", ,"runas", 1 > ========= > After the UAC request for permission to continue, I get the message box > with "True". Next would be to figure out how to pass this information back > to the original script, if the prompt is acceptable. I also tested on > Windows Server 2003, XP, and Windows 2000 with the same result, although > the prompt is different. There may be a way to avoid the prompt on older > clients, but I doubt this would be possible on Vista and later. I have not yet used Vista, but with all of the problems people are running into with UAC, I am somewhat dreading it. As for passing the information back, how about a volatile variable? Set oWSH = CreateObject("WScript.Shell") bAdmin = CBool(oWSH.Run("at.exe", 0, True) = 0) oWSH.Environment("Volatile").Item("bAdmin") = bAdmin The main script could then read and, if preferred, destroy it. |
| My System Specs |
|
05-26-2009
| #6 (permalink) |
| | Re: How to know if a user has administrative privileges "James Whitlow" <jwhitlow.60372693@xxxxxx> wrote in message news:exNqLva3JHA.1424@xxxxxx Quote: > "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxx> wrote in > message news:OGah$ma3JHA.140@xxxxxx Quote: >> >> "James Whitlow" <jwhitlow.60372693@xxxxxx> wrote in message >> news:OxkcBNa3JHA.1092@xxxxxx Quote: >>> Set oWSH = CreateObject("WScript.Shell") >>> bAdmin = CBool(oWSH.Run("at.exe", 0, True) = 0) >>> Msgbox bAdmin >>> >>> If you try it in 2003 & Vista, please post back with your results. >>> >> When I run your program I get "False" on Vista, even though I am logged >> in with an account that is a member of the local Administrators group. It >> is because of UAC (user access control). If I run at.exe at a command >> prompt I get the error "Access is denied". I must right click at.exe and >> select "Run as administrator", or start a command prompt the same way >> before this works. >> >> I was able to get it to work by combining the information in this link: >> >> http://support.microsoft.com/kb/958149/EN-US >> >> But there is a drawback. I am prompted to allow the program to run. I >> needed two scripts, one with your code and another to launch it with >> "RunAsAdministrator". I saved your script as "c:\scripts\LocalAdm.vbs", >> then ran it with the following script: >> ====== >> Set objShell = CreateObject("Shell.Application") >> objShell.ShellExecute "cscript.exe", "c:\Scripts\LocalAdm.vbs >> RunAsAdministrator", ,"runas", 1 >> ========= >> After the UAC request for permission to continue, I get the message box >> with "True". Next would be to figure out how to pass this information >> back to the original script, if the prompt is acceptable. I also tested >> on Windows Server 2003, XP, and Windows 2000 with the same result, >> although the prompt is different. There may be a way to avoid the prompt >> on older clients, but I doubt this would be possible on Vista and later. > Thanks for the feedback, Richard! > > I have not yet used Vista, but with all of the problems people are > running into with UAC, I am somewhat dreading it. As for passing the > information back, how about a volatile variable? > > Set oWSH = CreateObject("WScript.Shell") > bAdmin = CBool(oWSH.Run("at.exe", 0, True) = 0) > oWSH.Environment("Volatile").Item("bAdmin") = bAdmin > > The main script could then read and, if preferred, destroy it. "Process", and "User". Another idea would be to write to a file (using FileSystemObject). You would need a location you know exists. Either you need to know everyone can write to it, or the code must trap the error if the file does not exist and assume the non-existence means the user lacks permission to write to the location because they are not a member of the local Administrators group. In fact, if you know of a location that only members of the local Administrators group can write to (on every possible PC), you could simply attempt to write there and trap the possible error. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- |
| My System Specs |
|
07-15-2009
| #7 (permalink) |
| | RE: How to know if a user has administrative privileges "Heinz" wrote: Quote: > Hello, > > I need to find out if the current user is an administrator. > > Looking up group-memberships seems to be one way, but if I have to follow > nested groups it will become difficult.... > Also, when using group memberships it will be language dependent > ("Administrators" is a different group in French, Spanish, German etc....) > > Another approach may be to simply try to do something that only an > administrator is allowed to do.... > Any idea what this could be and how to code it in VBS ? > > Perfect would be a solution that work withs XP,Vista and 2003. > > thank you > > Heinz > > > > right. For example, I'm member domain or local group. If this group is included administrators, I'm admin. If script check my account in Administrators group, script will say I'm NOT admin. I'm still waiting |
| My System Specs |
|
07-16-2009
| #8 (permalink) |
| | Re: How to know if a user has administrative privileges "Vladimir" <Vladimir@xxxxxx> wrote in message news:32401BC4-9FD3-4EDA-915C-52F1EED1C9C3@xxxxxx Quote: > > > "Heinz" wrote: > Quote: >> Hello, >> >> I need to find out if the current user is an administrator. >> >> Looking up group-memberships seems to be one way, but if I have to follow >> nested groups it will become difficult.... >> Also, when using group memberships it will be language dependent >> ("Administrators" is a different group in French, Spanish, German >> etc....) >> >> Another approach may be to simply try to do something that only an >> administrator is allowed to do.... >> Any idea what this could be and how to code it in VBS ? >> >> Perfect would be a solution that work withs XP,Vista and 2003. >> >> thank you >> >> Heinz >> >> >> >> > is > right. For example, I'm member domain or local group. If this group is > included administrators, I'm admin. If script check my account in > Administrators group, script will say I'm NOT admin. I'm still waiting try this: if exist \\%computername%\c$ ( echo/you are an administrator ) else ( echo/you are NOT an administrator ) /Al |
| My System Specs |
|
07-17-2009
| #9 (permalink) |
| | Re: How to know if a user has administrative privileges You could always try to write to a registry location that is usually forbidden to non-admins, for example HKEY_CURRENT_USER\Software\Policies Sample code: Dim objShell Set objShell = CreateObject("WScript.Shell") On Error Resume Next objShell.RegWrite "HKCU\Software\Policies\LocalAdminTest",Now(),"REG_SZ" If Err.Number = 0 Then ' Write was successful, assuming local admin permissions Else ' Write was unsuccessful. Not a local admin or not running as admin under Vista End If Hope this helps.... Vladimir <Vladimir@xxxxxx> wrote: Quote: > > >"Heinz" wrote: > Quote: >> Hello, >> >> I need to find out if the current user is an administrator. >> >> Looking up group-memberships seems to be one way, but if I have to follow >> nested groups it will become difficult.... >> Also, when using group memberships it will be language dependent >> ("Administrators" is a different group in French, Spanish, German etc....) >> >> Another approach may be to simply try to do something that only an >> administrator is allowed to do.... >> Any idea what this could be and how to code it in VBS ? >> >> Perfect would be a solution that work withs XP,Vista and 2003. >> >> thank you >> >> Heinz >> >> >> >> >right. For example, I'm member domain or local group. If this group is >included administrators, I'm admin. If script check my account in >Administrators group, script will say I'm NOT admin. I'm still waiting |
| My System Specs |
|
07-27-2009
| #10 (permalink) |
| | Re: How to know if a user has administrative privileges Heinz wrote: Quote: > I need to find out if the current user is an administrator. > > Looking up group-memberships seems to be one way, but if I have to follow > nested groups it will become difficult.... > Also, when using group memberships it will be language dependent > ("Administrators" is a different group in French, Spanish, German etc....) > > Another approach may be to simply try to do something that only an > administrator is allowed to do.... > Any idea what this could be and how to code it in VBS ? > > Perfect would be a solution that work withs XP,Vista and 2003. http://www.westmesatech.com/wast.html Site note: It can also detect if the current user is a member of Administrators but the group is not enabled (e.g., when UAC is active on Windows Vista and later). -- Bill Stewart |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| No administrative privileges on Administrator account? | General Discussion | |||
| Losing administrative privileges something like Nidma virus | System Security | |||
| Forcing my application to run with administrative privileges | Vista security | |||
| To install to a remote computer please use an account with administrative privileges | Vista account administration | |||
| Administrative Privileges | Vista General | |||
