How to find if a user is admin or not
-
Thursday, June 14, 2012 6:39 AM
googled on a subject and found this
http://www.hanselman.com/blog/HowToDetermineIfAUserIsALocalAdministratorWithPowerShell.aspx
This script will not list if a user is admin if the rights were given to a group and the user belonged to a group and thus was admin.
Is there a complete script somewhere?
Note that I am not asking for current user being admin or not. I want to check wither a given user belongs to the administrator group (directly or indirectly).
MSDNStudent Knows not much!
All Replies
-
Thursday, June 14, 2012 6:52 AM
Hi,
It works, if user is not admin then don’t return anything. But if it’s admin it return some data from this wmi class.
It is other way to do this but it works similar:$username = "test" $computerName = "machine" $groupName = "administrators" $group = [adsi]"WinNT://$computerName/$groupName" $members = $group.members() $members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} | ?{$_ -eq $username } -
Thursday, June 14, 2012 9:08 AM
does not work.
If i remove the last | ?{$_ -eq $username } filter.
I see that the command is only returning objects which are "directly" entitled as an admin.
this does not list my ID because I am not directly entitled to Admin group.
MSDNStudent Knows not much!
-
Thursday, June 14, 2012 9:43 AM
Ok now I understand what you want to do.
Once time I write this script that may help you:
http://gallery.technet.microsoft.com/Get-ADGroupMembers-59e1bbb2#load Get-ADGroupMembers function from Technet $userName = "mg" $computerName = "MyComp" $groupName = "Administrators" $group = [adsi]"WinNT://$computerName/$groupName" $members = $group.members() $members | foreach { $name = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) if(($_.GetType().InvokeMember("Class", 'GetProperty', $null, $_, $null)) -eq "User" -and $name -eq $userName) { Write-Host "Yes, user: $userName is direct in group: $groupName" } elseif(($_.GetType().InvokeMember("Class", 'GetProperty', $null, $_, $null)) -eq "Group") { $ADGroupMembers = Get-ADGroupMembers $name | ?{$_.sAMAccountName -eq $userName} if(($ADGroupMembers | measure).count -gt 0) { Write-Host "Yes, user: $userName is in group: $groupName from: $($ADGroupMembers.MembersPath)" } } }- Edited by MichalGajdaMVP Thursday, June 14, 2012 10:01 AM
- Marked As Answer by MSDN Student Thursday, June 14, 2012 1:30 PM
-
Thursday, June 14, 2012 12:49 PM
Getting this error. I ran your script in "Active Directory Module for Windows PowerShell"
The term 'Get-ADGroupMembers' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, ve
rify that the path is correct and try again.
At C:\Users\srabhi_adm\AppData\Local\Temp\2\935ec445-62ff-4177-a7b8-a0d008e21e16.ps1:19 char:39
+ $ADGroupMembers = Get-ADGroupMembers <<<< $name | ?{$_.sAMAccountName -eq $userName}
+ CategoryInfo : ObjectNotFound: (Get-ADGroupMembers:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
MSDNStudent Knows not much!
-
Thursday, June 14, 2012 12:55 PM
Get-ADGroupMembers it’s not standard cmdlet. It is a function (to recursively check group members) that you can download from here:
http://gallery.technet.microsoft.com/Get-ADGroupMembers-59e1bbb2
You must load it first and next run script.
-
Thursday, June 14, 2012 1:30 PMit works! many thanks!
MSDNStudent Knows not much!
.png)
