How might I determine if the currently logged on user had Admin privilidges ?

For this question, I have a pc in a workgroup.
Three user id's have been defined.
Administrator
Adminmember
Standarduser
This is a virgin Windows 7 X64 machine.
No policies modified.  Ever.
All possible updates applied.

What I am try to do is:      Determine if the currently logged account has Admin right or privileges.

I have seen several examples on the web of thing that might work.
I IE:  Running "OPENFILES" and monitor the result.
Running "Net Session" and monitoring the result code.
Or even trying to read HKEY_USERS\S-1-5-19\Environment\TEMP registry value. (Just attempt to read it.)

All three result in fallers (a good thing) if the account in use at the time (Standarduser) is a standard user

And all three result is the positive, if the account in use at the time ((Administrator) is THE local Administrator account.

But all three fail, if the account in use at the time (Adminmember), is a member of the local Administrators group.
This really confuses me.

My goal is to identify if the currently logged on user account has Administrative rights or privileges or not.

Thanks for any ideas.
LVL 1
Accidental Hyper-V AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
I assume you mean in a batch file - in batch files, users by DEFAULT don't have admin rights even if they do.  You have to elevate the cmd prompt to get admin rights.  That's why you use openfiles - to CONFIRM that the batch file has admin rights (at least I do).

Otherwise, the user may have them, but UAC may be keeping the user from running most processes as admin.  You can use NET LOCALGROUP ADMINISTRATORS to see who is in the group - but if the user is a member of another group in Administrators it won't necessarily indicate that.
Maidine FouadEngineerCommented:
Hello

Using some c# code you can do that, try this  :

static bool isAdmin(string user, string computer_name)
{
    using (PrincipalContext computer = new PrincipalContext(ContextType.Machine, computer_name))
    {
        using (PrincipalContext domain = new PrincipalContext(ContextType.Domain))
        {
            UserPrincipal u= UserPrincipal.FindByIdentity(domain, IdentityType.SamAccountName, user);
            GroupPrincipal p = GroupPrincipal.FindByIdentity(computer, "XXX");//XXX is in our case Administrators

            foreach (UserPrincipal usr in p.GetMembers(true))
            {
                if (u!= null)
                {
                    if (up.SamAccountName.ToUpper() == usr.SamAccountName.ToUpper())
                    {
                        return true;
                    }
                }
            }
        }
    }
    return false;
}

Open in new window

Accidental Hyper-V AdministratorAuthor Commented:
Thanks.
I do appreciate your efforts.

Unfortunately (for me), I don’t know anything about C#.
I have an existing VBScript that I was hoping to add lines of code to, in order to check for Admin rights.
And then execute various functions based on the currently logged on rights level.

I'm not smart enough to figure out how to add the C# code into my script
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Maidine FouadEngineerCommented:
Well using VBScript you can manage to do that, i found this article:

http://www.tek-tips.com/viewthread.cfm?qid=1348699

They have a nice piece of code , that enumerates Group members ...You can start with that :

Function RetrieveUsers(domainName,grpName)


Dim dom
dim grp
dim GrpObj
dim mbrlist
dim mbr

Set GrpObj = GetObject("WinNT://" & domainName & "/" & grp & ",group")

for each mbr in GrpObj.Members
   mbrlist = mbrlist & vbTab & mbr.name & vbCrLf
Next

RetrieveUsers=mbrlist

Open in new window


Then you can use a function to check , Something like this :

Function IsAdmin(user)
    if InStr(RetrieveUsers("MachineName", "Administrators"), user) > 0 Then
    Wscript.Echo " is an admin"
Else
    Wscript.Echo " is not an admin"
End If

End Function

Open in new window

David Johnson, CD, MVPOwnerCommented:
http://csi-windows.com/toolkit/csi-isadmin has a good script.. note it uses wscript not cscript.. other experts are free to pick it apart

The meat of the matter is
  CSI_IsAdmin = False
  On Error Resume Next
  key = CreateObject("WScript.Shell").RegRead("HKEY_USERS\S-1-5-19\Environment\TEMP")
  If err.number = 0 Then CSI_IsAdmin = True


'********************************************************************
'*
'*  Name:            CSI_IsAdmin.vbs
'*  Author:          Darwin Sanoy
'*  Updates:         http://csi-windows.com/toolkit/csi-isadmin
'*  Bug Reports &
'   Enhancement Req: http://CSI-Windows.com/about/contact-us
'*
'*  Built/Tested On: XP, Windows 7
'*  Requires:        OS: Xp, Vista, Windows 7, Server 2008
'*  Might Work On:   OS: Windows 2000
'*
'*
'*  Main Function:
'*              a) Available in .VBS and .CMD/.BAT versions
'*              b) Checks for admin rights for current session
'*              c) using a fast method
'*              d) with a small code footprint
'*              e) which is "universal" - handling XP through Windows 7
'*              f) and handles UAC (false if not elevated, true if elevated) 

'*              DOES NOT tell if the user is an UNELEVATED ADMIN.  

'*              To tell WHETHER a user can elevate, use script "CSI_IsSession.vbs" at
'*              http://csi-windows.com/toolkit/csi-issession
'*
'*
'*  Documentation:   see above
'*
'*  Version:         1.31
'*
'*  Revision History:
'*        10/26/11 - 1.31 - XP bug fixed.
'*        10/06/11 - 1.3 - no longer depends on default permissions
'*                         for %windir%\system32\config which could
'*                         be easily changed if a Win 7 protected admin
'*                         visited this folder in explorer and answered
'*                         "yes" to the prompt "Do you want permanent
'*                         permissions to this folder.
'*
'*                       - VBS implementation does not depend on CMD.EXE
'*                         or any other EXEs - pure vbs.
'*
'*                       - PowerShell Version Created
'*

'*        01/26/10 - 1.1 - inital version (djs)
'*
'*******************************************************************

output = output &vbnewline & "*************************************************" 
output = output &vbnewline & "* CSI_IsAdmin from CSI-Windows.com              *"
output = output &vbnewline & "* http://CSI-Windows.com/toolkit/CSI-IsAdmin    *"
output = output &vbnewline & "*                                               *"
output = output &vbnewline & "* Works for XP, Vista, Win7, UAC, 2003, 2008    *"
output = output &vbnewline & "* Small, Efficient and non-invasive code        *"
output = output &vbnewline & "*************************************************" & vbnewline

If CSI_IsAdmin Then output = output &vbnewline & "Session Admin Rights: YES"
If NOT CSI_IsAdmin Then output = output &vbnewline & "Session Admin Rights: NO"

wscript.echo output

Function CSI_IsAdmin()
  'Version 1.31
  'http://csi-windows.com/toolkit/csi-isadmin
  CSI_IsAdmin = False
  On Error Resume Next
  key = CreateObject("WScript.Shell").RegRead("HKEY_USERS\S-1-5-19\Environment\TEMP")
  If err.number = 0 Then CSI_IsAdmin = True
End Function

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Accidental Hyper-V AdministratorAuthor Commented:
Thanks to all.  
You’re the greatest !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.