Database Search
TechHome
 | |
|
- Cancel Connection Information
- Change NT Password from Win95 Machine
- Change User Rights
- Create a List of Available Workstations
- Deleting Orphan Shares
- Determine if 95 User is Logged into a Network
- Determine if a Server is a PDC
- Determine if a User is Connected to a Server
- Determine NT Admin Rights
- Display a policy statement before logon
- Distinguish between NT 4 Server and Workstation
- Enable MSClient
- Get a List of Attached Servers to NT Server
- Get NT Users Primary Domain
- Get remote user name
- How to Create NT Groups
- How to Get Domain Controller of Authenticating Server
- Install apps on NT without system admin priviledge
- Itemize Network Services
- List Members in an NT Domain
- List of Users Who Have Group Access
- Listing Hidden Shares
- Look up Access Permissions to an NT Resource
- Map Drive to NetLogon Share Handles Z Drive
- Map Root and Map to Share under NT and 95
- Network invalid error
- NTFS - POSIX subsystem and Case Sensitivity
- NTFS Detection
- Only Map Drive when Its Not
- Refresh Group Policy using SecEdit
- Remove Workstation from a Domain
- Retrieve a List of Computer Accounts on NT Domain
- Set up User with Grant DialIn Permissions Set
- UDF -GetUserNameEx
- Why Do Certain Win32 Apps Misbehave in NT Services
- WWNET32I Extender with Older WinBatch
- wxxFileUsers Functions
- wXXGetUser and Netname
Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Checking for NT Admin Rights
Keywords: NT Administrative rights
Question:
I need a quick way to be able to determine if a user has NT Admin rights from within a WinBatch program.Checking to see if they are a member of the local Admins group will not work since we since the user will have Domain Admins and other NT Global groups in their local Admins group that would have to be checked as well. This process is too slow.
Is there an API function, a registry key or something that can be used to determine Admin rights?
We use Winbatch extensively here at our campus. Currently it is a mixed Novell 4x, Unix and Nt environment. We use WinInstall to allow users to pull apps to their NT workstations. Some apps require the user to have administrator privilages in order to be installed. Can I use a winbatch script to test what privilages a user has to his workstation. Better yet can I use Winbatch to dynamically create an Administrator user to logon and install the app and logout so the user does not have to have admin privilages. I will be experimenting with Novell's ZEN works, since I've heard it is a good apps delivery system too. Any help will be greatly appreciated.
Answer:
That depends on what exactly you expect from the "administrator" to be able to accomplish. Because there is a whole bunch of user rights that may or may not be granted to any particular user. For example, the Grand Master Administrator of a huge network may grant some of his privileges to the so called "power users", which will be able, for instance, install new programs, but will not be able to install new drivers, or something like that. So the best way to answer the question whether the current user is powerful enough to perform the operation you need is to try to perform that operation and check the result for the errors.
- The function wntUserProps will be able to do it (in versions of Winbatch
after 97D) to check the NT privilege level.
In the same network extender is a wntRunAsUser that can give the script enhanced privileges. Various security settings must already be present ("Run as Part of OS") on the user account on the workstation, but that is a one time thing.
Beyond what WinBatch can do for determining your privilege level, The Zen Works does run as a service and can perform privileged file and registry modifications even though a non privileged user is logged on. The next version of Zen Works that has NAL v3.0 in it will even be able to perform distribution to workstations that are booted but not logged into the NDS tree.
- For older versions of Winbatch prior to 97D:
The quick and dirty method:
The easiest way to do this is to check for a file on the hidden Admin share for the Disk drive that ONLY admins (or equivalent) can see (ONLY Domain Admins have access to the C$(hidden) share), then set flag depending on whether it was found or not:
Errormode(@off) do a directory of the C:\ drive looking for a file that is in the root \\SERVERNAME\C$\FILENAME Errormode(@cancel) x=Lasterror()
You can either look for the error message from NON-Admins or see if the file exists for Admins; both will work.This will even work for hidden files, you can use the FileExist command and check for a 1 coming back. For example, if your computername is CNAME, this will test an Intel NT workstation for admin rights.
FileExist("\\CNAME\C$\ntloader.sys")A True indicates that you can read the file as you have Admin rights and a False indicates that you can't. All you have to do is find the same file that is on ALL the workstations you are going to test. - You could also use wntMemberGet to see if the user is a member of the local Admin group.
- Or the following sample code:
GoSub AdminCheck If Admin == "1" Message("Note","Current user has local Administrator rights") Else Message("Note","Current user does not have local Administrator rights") EndIf :AdminCheck Admin = "0" ErrorMode(@Off) RegSetValue(@REGMACHINE,"System\CurrentControlSet\Control[Admin]","1") Admin = RegQueryValue(@REGMACHINE,"System\CurrentControlSet\Control[Admin]") RegDelValue(@REGMACHINE,"System\CurrentControlSet\Control[Admin]") ErrorMode(@Cancel) Return
Article ID: W13530
Filename: Determine NT Admin Rights.txt
File Created: 2001:01:26:14:34:56
Last Updated: 2001:01:26:14:34:56