Database Search

TechHome

• Change Desktop Background Color
• Check for Docking Station Present
• Empty Recycle Bin
• Environment Variable UDFs
• Get Current User List
• Get Media Type of CD ROM
• GetRemoteLoggedInUser UDF
• GetUserName UDF
• Images to Clipboard
• List all NT Services
• Lock Unlock CDROM Drive
• Monitor Keyboard and Mouse UDF
• Set Computer Name on 2000 and XP
• udfEnumDisplayDevices
• udfGetPwrCapabilities
• UDF_AM_I_AN_ADMIN

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

UDF_AM_I_AN_ADMIN

Keywords: Check Admin Administrator User rights AmIAdmin AmIAnAdmin AM_I_ADMIN IsAdmin 

See also: Article ID W15805

This UDF attempts to open the Service Control Manager to check to see if the current user is an admin user. Generally only Admin users may open the Service Control Manager.

Generally experience has shown that attempting to directly check to see if a user has admin privileges is fraught with complications. It is easier simply to attempt an operation that requires Admin privileges. There are many variations of this technique.

;// IsAdmin() - tests to see if the current user is an admin

;#define GENERIC_READ                     (0x80000000L)
;#define GENERIC_WRITE                    (0x40000000L)
;#define GENERIC_EXECUTE                  (0x20000000L)


#DefineFunction Am_I_an_Admin()
 dll=StrCat(DirWindows(1),"advapi32.dll")
 rqst=  -536870912         ;   GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE
 hSC=DllCall(dll,long:"OpenSCManagerA",lpnull,lpnull,long:rqst)
 If hsc != 0
    DllCall(dll,long:"CloseServiceHandle",long:hSC)
    Return(@TRUE)
 EndIf
 Return(@FALSE)
 #EndFunction

 status=Am_I_an_Admin()
 Message("Am I an Admin",status)

That code sees if the service control manager can be opened to determine if the script is running with admin rights. Another method is to attempt to write to a registry key that is typically only writable by administrators. For example:

#DefineFunction AdminUser() ; Check for Admin rights
   Admin = @FALSE
   KeyVal = "System\CurrentControlSet\Control[Admin]"
   ErrMode = ErrorMode(@FALSE)
   RegSetValue(@REGMACHINE,KeyVal,"1")
   Admin = RegQueryValue(@REGMACHINE,KeyVal)
   RegDelValue(@REGMACHINE,KeyVal)
   ErrorMode(ErrMode)
   If Admin=="1" Then Admin = @TRUE
   Return Admin
#EndFunction

Message("Admin",AdminUser())

Beyond membership in the local "Administrators" group, you also have to consider any user or member of a group that has been granted a set of LSA privileges that are comparable to the ones granted to the local "Administrators" group. Aside from the command line "NET" command, the typical management tools you would use to perform these two sets of tests would be the Computer Management [compmgmt.msc] and Local Security Policy [secpol.msc] MMC snap-ins. With Computer Management, you would be able to examine the membership list of the local "Administrators" group. With Local Security Policy, you would be able to examine the LSA privileges that exist and who they have been granted to.

With WinBatch, one way is to make use of the Win32 Network [a.k.a "NT"] extender to perform these same examination via program code. The wntMemberList() function is used to list all members of a [local] group. The wntPrivList(), wntPrivUsers() and wntPrivGet() functions are used to query the LSA privilege database in various ways to find out what accounts have been granted which LSA privileges.

In a nutshell, use wntPrivList() to find out which LSA privileges have been granted to the local "Administrators" group. Then, use wntPrivUsers() to find out which accounts have been granted those same privileges. Any user or group that has been granted the same full set of privileges as the local "Administrators" group can be considered to have administrative capabilities even if the use or group is not actually a member of the local "Administrators" group. In fact, only a subset of those LSA privileges are necessary to escalate an account's access level to administrative level, so the test itself could be even more discriminating in that regard. Don't forget that users can obtain LSA privileges by having them directly granted and via membership in a group, either local or domain, which has been granted specific LSA privileges. This makes it necessary to do further testing w/wntMemberList() and wntMemberGet() to ensure that the complete set of effective LSA privileges available to any given account are properly identified.

Finally, there are a few Win32 API functions in the networking category that can only be used in certain ways if you are a member of the local "Administrators" group regardless of what LSA privileges you have been granted. These API functions actually test for membership in this group before they perform an operation or fail it due to an access-denied condition. When determining if a user is an administrator, it may well be necessary to keep track of membership in the local "Administrators" group independently of whatever LSA privileges the user has granted to them [either directly or indirectly] if you are preparing a very thorough security audit.

Article ID:   W16240

File Created: 2014:07:18:09:51:40

Last Updated: 2014:07:18:09:51:40