none
How to find if a user is admin or not

    Question

  • googled on a subject and found this

    http://www.hanselman.com/blog/HowToDetermineIfAUserIsALocalAdministratorWithPowerShell.aspx

    This script will not list if a user is admin if the rights were given to a group  and the user belonged to a group and thus was admin.

    Is there a complete script somewhere? 

    Note that I am not asking for current user being admin or not. I want to check wither a given user belongs to the administrator group (directly or indirectly).



    MSDNStudent Knows not much!

    Thursday, June 14, 2012 6:39 AM

Answers

  • Ok now I understand what you want to do.
    Once time I write this script that may help you:
    http://gallery.technet.microsoft.com/Get-ADGroupMembers-59e1bbb2

    #load Get-ADGroupMembers function from Technet
    $userName = "mg"
    $computerName = "MyComp"
    $groupName = "Administrators"
    
    $group = [adsi]"WinNT://$computerName/$groupName"
    
    $members = $group.members()
    $members | foreach {
    	$name = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
    	if(($_.GetType().InvokeMember("Class", 'GetProperty', $null, $_, $null)) -eq "User" -and $name -eq $userName)
    	{
    		Write-Host "Yes, user: $userName is direct in group: $groupName"
    	}
    	elseif(($_.GetType().InvokeMember("Class", 'GetProperty', $null, $_, $null)) -eq "Group")
    	{
    		$ADGroupMembers = Get-ADGroupMembers $name | ?{$_.sAMAccountName -eq $userName} 		
    		if(($ADGroupMembers | measure).count -gt 0)
    		{
    			Write-Host "Yes, user: $userName is in group: $groupName from: $($ADGroupMembers.MembersPath)"
    		}
    	}
    } 

    Thursday, June 14, 2012 9:43 AM

All replies

  • Hi,

    It works, if user is not admin then don’t return anything. But if it’s admin it return some data from this wmi class.
    It is other way to do this but it works similar:

    $username = "test"
    $computerName = "machine"
    $groupName = "administrators"
    
    $group = [adsi]"WinNT://$computerName/$groupName"
    $members = $group.members()
    $members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} | ?{$_ -eq $username }
    

    Thursday, June 14, 2012 6:52 AM
  • does not work. 

    If i remove the last | ?{$_ -eq $username } filter.

    I see that the command is only returning objects which are "directly" entitled as an admin.

    this does not list my ID because I am not directly entitled to Admin group.


    MSDNStudent Knows not much!

    Thursday, June 14, 2012 9:08 AM
  • Ok now I understand what you want to do.
    Once time I write this script that may help you:
    http://gallery.technet.microsoft.com/Get-ADGroupMembers-59e1bbb2

    #load Get-ADGroupMembers function from Technet
    $userName = "mg"
    $computerName = "MyComp"
    $groupName = "Administrators"
    
    $group = [adsi]"WinNT://$computerName/$groupName"
    
    $members = $group.members()
    $members | foreach {
    	$name = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
    	if(($_.GetType().InvokeMember("Class", 'GetProperty', $null, $_, $null)) -eq "User" -and $name -eq $userName)
    	{
    		Write-Host "Yes, user: $userName is direct in group: $groupName"
    	}
    	elseif(($_.GetType().InvokeMember("Class", 'GetProperty', $null, $_, $null)) -eq "Group")
    	{
    		$ADGroupMembers = Get-ADGroupMembers $name | ?{$_.sAMAccountName -eq $userName} 		
    		if(($ADGroupMembers | measure).count -gt 0)
    		{
    			Write-Host "Yes, user: $userName is in group: $groupName from: $($ADGroupMembers.MembersPath)"
    		}
    	}
    } 

    Thursday, June 14, 2012 9:43 AM
  • Getting this error. I ran your script in "Active Directory Module for Windows PowerShell"

    The term 'Get-ADGroupMembers' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, ve
    rify that the path is correct and try again.
    At C:\Users\srabhi_adm\AppData\Local\Temp\2\935ec445-62ff-4177-a7b8-a0d008e21e16.ps1:19 char:39
    +         $ADGroupMembers = Get-ADGroupMembers <<<<  $name | ?{$_.sAMAccountName -eq $userName}         
        + CategoryInfo          : ObjectNotFound: (Get-ADGroupMembers:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException


    MSDNStudent Knows not much!

    Thursday, June 14, 2012 12:49 PM
  • Get-ADGroupMembers it’s not standard cmdlet. It is a function (to recursively check group members) that you can download from here:

    http://gallery.technet.microsoft.com/Get-ADGroupMembers-59e1bbb2

    You must load it first and next run script.

    Thursday, June 14, 2012 12:55 PM
  • it works! many thanks!

    MSDNStudent Knows not much!

    Thursday, June 14, 2012 1:30 PM