Database Search

match allmatch any Look in all areasLook in current areas Check all datesPrevious dayPrevious 3 daysPrevious weekPrevious fortnightPrevious monthPrevious 2 monthsPrevious 3 monthsPrevious half-yearPrevious year

TechHome

Services

• 1219 Error with AddDrive
• Account Expires after wntUserAddDat
• Add Domain Group to Local Administrator Remotely
• Add Everyone to Administrators Group
• Add Global Groups in Domain
• Adding Domain to Workstation
• Adding Users and Setting Flags
• Adds User Account to Local Administrator Group
• Allow Inheritable Permissions from Parent
• Builtin Group SID convert to Name
• Bypass NT Ctrl Alt Del to Logon
• Changing Computer Name and Machine Account
• Changing Domain Passwords Sample Code
• Check For Disabled Computer Account
• Check if You Have Local Admin Rights
• Checking an Accounts Password
• Checking for Old Users
• Convert SID to User ID
• Converting SID to Domain - Account Name
• Create Directories and Set NT Access Permissions
• Dealling With Inheritiable Permissions
• Decode Logon Hours
• Determine if Computer is in a Workgroup or Domain
• Determine if PC is Member of Domain
• Determine Inheritance
• Determining if Current User is Authenticated
• Disable Allow Inheritable Permissions
• Domain Trusts Explained
• Error 673 WntPrivAdd
• Error 684 using wntAccess functions
• Find Domain for a Computer
• Foreign Language support of the Win32 Network Extender
• Get a Users Primary Group
• Get Domain User Info
• Get Machine Administrator Userid
• Get SID from Username
• Get the Currently Logged on User in NT
• Get the SID of a Workstation
• Get User Name and wntUserProps
• How to determine if a file is in use on LAN
• How to disable Allow inheritable permissions
• How to Get the Local Adminstrator Account
• How WntServerList Determines a Server
• Inherit NTFS Persmissions
• Interpreting Access Rights
• Is Domain User a Local Admin
• Is User Logged into Domain or Local Account
• Is wntChgPswd Encrypted
• Issue with AccessMod on Remote Machine
• Keeping Track of Last User Login
• List only Windows 2000 Systems
• List Open Connections
• List Terminal Servers
• Listing Directory Shares with Permissions
• Losing Mapped Drive Connections in XP
• Matching SID to ProfileList folder
• NT Auditing
• NT Extender and NT4 No Service Packs
• NT Network Extender and UPN Account Names
• Obtain Share Permissions
• Obtain user sid
• Port Required for WntUserGetDat
• Problems caused by ADMT
• Pull Trusted Domain List
• Reboot user with no shutdown privileges
• Remotely Reboot and wntShutDown
• Remove Everyone Access from D
• Rename User in an AD Domain
• Reset Passwords in Active Directory
• Reset Permissions when Inheritable is Enabled
• Rights to use wntFileUsers
• Runwithlogon and Bad Username
• RunWithLogon Parameter Size
• RunWithLogon versus RunAsUser
• Searching NT Users and Find by Last Name
• Server Description Field
• Setting File Permissions with wntAccessAdd
• Setting NT Policies
• Setting Service Permissions
• Shutdown All NT Servers
• SID values - AD - round tripping and ADMT
• Synchronize password from NT Domain to Novell
• The NT extender functions in Active Directories
• Trouble determining admin rights
• Trusting Domain List
• Unlock Account with wntUserSetDat
• User Login and Log out Information
• User Profile Last Logon
• Win 2000 AutoAdminLogon
• wntAccess... and Specifying Remote Drives
• WntAccessAdd and Change Modify Registry
• wntAccessAdd and Inherited Rights
• WntAccessAdd and Inheritence
• wntAccessAdd and Invalid User - Group
• wntAccessAdd and NTFS
• WntAccessAdd error 546 Invalid file directory name
• wntAccessAdd Inheritable Permissions
• wntAccessAdd Problem on NT 4
• wntAccessAdd Share Problem on Windows 7
• wntAccessAdd versus w95AccessAdd Tips
• wntAccessDel Error 599 Invalid Level
• wntAccessGet and Username Parameter
• WntAccessList DFS share
• wntAccessList Problem
• wntAccessMod Registry Issue
• wntAcctList Returns Incorrect Flag Values
• wntAcctPolSet Error
• wntAddDrive and Unicode
• WntAddDrive launches an Explorer window
• wntAddPrinter after WntRunAsUser
• wntauditadd and inheritance
• wntAuditAdd and MS Patch
• WntCancelCon Error 511 Device in Use
• wntChgPswd 562 Invalid User Name
• wntChgPswd and Error 586
• wntChgPswd and Error 589 Error Changing Password
• wntChgPswd and Error 677
• wntChgPswd behavior different between W2K and NT4
• wntCurrUsers Behavior
• wntDomainSync Error 695
• wntEventLog Problem
• wntGetCon Error 509 Network component is Not Started or Invalid
• wntMemberDel- error 571
• wntMemberGrps returns 0 on DC running AD
• wntMemberGrps wntMemberSet - 562 invalid user name
• wntMemberList Behavior
• wntMemberList Error 522
• wntMemberList Problems
• wntOwnerGet - wntOwnerSet Tips
• wntOwnerSet Error 547
• wntRemoteTime and 530 Access Denied Error
• wntRemoteTime and Daylight Savings Time
• wntRunAsUser -- Security Side Effects
• wntRunAsUser 713 Unable to Set Window Station Access
• wntRunAsUser and Act as Part of OS Clarification
• wntRunAsUser and Called Scripts
• wntRunAsUser and Debugging Problem
• wntRunAsUser and No Permission on Local Machine
• wntRunAsUser Discussion in French
• wntRunAsUser Error 637
• wntRunAsUser Error 638
• wntRunAsUser Function - 1
• wntRunAsUser Function - 2
• wntRunAsUser Function - 3
• wntRunAsUser Function Used Twice in Script
• wntRunAsUser RunWithLogon Security Context
• wntRunAsUser to AutoAdminLogon after Reboot
• wntRunAsUser Windowstation and Desktop Permissions on WinXP
• wntServerList and wntServiceAt
• wntServerType
• wntShutDown Error 694
• wntUser... and Update User Accounts
• wntUserAdd Adding a Domain User
• wntUserAdd Bug
• WntUserAddDat and Max_storage
• wntUserGetDat 524 Unable to Access Specified Server
• wntUserGetDat and Logon_hours Flag
• wntUserSetDat and Logon Hours
• wNTUserXXXDat Function and Flags
• wxxUserGetDat and Last Logon Date

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

Is Domain User a Local Administrator?

Keywords: 	 Domain User Local Administrator

---

Question:

How do I determine if a domain user is in the local administrators group?

Answer:

wntUserProps only returns information for users with an account on "server", not for domain users. Make sure the user really have an account on the current machine, and not simply a domain user.

How about just using wntMemberGet() to see if they are a member of the Local Administrators group?

Question (cont'd):

If the user gets local admin rights via a global group (e.g. domain group) is there a way to tell? We do account administration via global groups, so there are really no members of the local groups directly. The local groups contain the global domain groups, which contain the users and the local groups are the ones that grant the appropriate permissions.

Answer:

That depends on what exactly you expect from the "administrator" to be able to accomplish. Because there is a whole bunch of user rights that may or may not be granted to any particular user. For example, the Grand Master Administrator of a huge network may grant some of his privileges to the so called "power users", which will be able, for instance, install new programs, but will not be able to install new drivers, or something like that. So the best way to answer the question whether the current user is powerful enough to perform the operation you need is to try to perform that operation and check the result for the errors.

1. Currently I don't think that WinBatch has any way of determining your "effective" rights.

   You could use the network extender to determine what groups (global and local) that your user belongs to. You could then check to see if your user belongs to the local administrators group or if any of the global groups that the user belongs to are members of the local administrators group.

   This could be implemented as a fairly simple list processing loop. Once the processing is done you have a yes/no answer as to whether or not there is a direct/indirect association between the user and the local administrators group.

2. The way I do it is to check and see if they have network access to an admin only share as follows:

   If FileExist( "\\%ComputerName%\ADMIN$\System32\Services.EXE" ) Then Message( "xx", "They are an Admin" )
   

   It's fairly reliable but does have problems.
   • You must get the computername (snag it from the environment or use a net extender call).

   • Some users (who are admins) delete the admin share. I fix this by trying to put it back (with a RUN NET SHARE ADMIN$) before testing if they are an admin or not. Sharing it back will fail if they aren't an admin but the end result is that you get the answer you're looking for.

   Of course, some times it is easier to determine your level of rights by attempting to perform some administrative action and being prepared to trap any errors that occur due to lack of privileges. This works sort of like saying, "If I can do this one task then I know that I am privileged for all other admin tasks." This is not the best way but some times it is the only sure way to know.

3. Another user reported:

   We created a specific user account which is a local admin on all workstations. Our deployment procedure includes insuring that this user is added to the local admin group.

   We then autolog this user in conjunction with the runonce command for Software Delivery purposes.

4. And yet another user offered the following:

   I would like to contribute my technique for simply determining if the current NT user has admin rights:

   Admin = 0                                     ; Initialize Flag to false
   AddExtender('WWWNT34I.DLL')                   ; WinNT Network Functions
   username = StrTrim(wntGetUser(@default))      ; Current user logged on network
   ;************************** AdminTest
   BoxCaption(1,'Checking Admin Privileges for %username%')
   RegKey = 'SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce[AdminTest]'
   
   ErrorMode(@OFF)    ; Suppress error if attempt fails
   RegSetValue(@REGMachine, RegKey, 'cmd.exe')   ; Key can only be written by an Administrator
   ErrorMode(@NOTIFY)
   
   if RegExistValue(@REGMachine, RegKey) 
      Admin = 1
      RegDelValue(@REGMachine, RegKey)
   endif 
   

   One of our developers commented on the above suggestion as follows:

   I use this method also. It works on default windows installations, but it can easily be broken by modifying the security entries on the registry keys.

   Being an admin does not mean oyu have security access to everything, but it does generally mean that you can alter the security access so that you can.

   However the breaking is theoretical, I've never seen a machine where someone had managed to break the above trick, so I think it is pretty safe.

---

Article ID:   W14266

Filename:   Is Domain User a Local Admin.txt

File Created: 2001:11:21:11:44:28

Last Updated: 2001:11:21:11:44:28