none
Find User having Admin Privileges or not RRS feed

  • Question

  • Hi All,

            I have a task to work on batch script to  find that particular user is having admin privileges or not.Can any one help how can i do this task


    Samar

    Thursday, April 3, 2014 2:10 AM

Answers

  • Here is the shell version of the above:

    net localgroup administrators|findstr jsmith
    if %errorlevel% == 0 echo is admin


    ¯\_(ツ)_/¯


    • Edited by jrv Thursday, April 3, 2014 7:25 AM
    • Marked as answer by Samar SharePoint 2010 Thursday, April 3, 2014 10:36 AM
    Thursday, April 3, 2014 7:23 AM

All replies

  • Whoami -all


    ¯\_(ツ)_/¯

    Thursday, April 3, 2014 2:24 AM
  • Something along these lines:

    whoami /groups | findstr /i /c:"S-1-5-32-544" > nul 2>&1
    
    if errorlevel 1 (
        echo I am not an Administrator.
    ) else (
        echo I am admin, fear me!
    )

    Thursday, April 3, 2014 2:26 AM
  • I was goug to address the issue of being an admin without being in an admin group.

    There is only one way to detect all conditions.

    Run elevated.  

    PS C:\scripts> whoami /priv
    
    PRIVILEGES INFORMATION
    ----------------------
    
    Privilege Name                  Description                               State
    =============================== ========================================= ========
    SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
    SeSecurityPrivilege             Manage auditing and security log          Disabled
    SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
    SeLoadDriverPrivilege           Load and unload device drivers            Disabled
    SeSystemProfilePrivilege        Profile system performance                Disabled
    SeSystemtimePrivilege           Change the system time                    Disabled
    SeProfileSingleProcessPrivilege Profile single process                    Disabled
    SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
    SeCreatePagefilePrivilege       Create a pagefile                         Disabled
    SeBackupPrivilege               Back up files and directories             Disabled
    SeRestorePrivilege              Restore files and directories             Disabled
    SeShutdownPrivilege             Shut down the system                      Disabled
    SeDebugPrivilege                Debug programs                            Enabled
    SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
    SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
    SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
    SeUndockPrivilege               Remove computer from docking station      Disabled
    SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
    SeImpersonatePrivilege          Impersonate a client after authentication Enabled
    SeCreateGlobalPrivilege         Create global objects                     Enabled
    SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
    SeTimeZonePrivilege             Change the time zone                      Disabled
    SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled
    PS C:\scripts>

    These privileges can be directly granted in the system policy.  THe user can have admmin rights but detecting the group will not work.

    You can also use Net to check InRole because it cheks the privileges directly.


    ¯\_(ツ)_/¯


    • Edited by jrv Thursday, April 3, 2014 2:33 AM
    Thursday, April 3, 2014 2:31 AM
  • HI jrv & David,

                         Thanks for your help ,But if doesn't helped me out in solving this issue.Below is the script I had written to find the user having admin rights or not.

                       But it is showing all the users in the admin group.I would like to get only single user who is having admin rights by passing parameter.Hope you help me  

     

    @ECHO OFF
    SETLOCAL
    SET "admins="
    SET "prev="
    FOR /f "delims=" %%A IN ('net localgroup administrators') DO (
     CALL SET "admins=%%admins%% %%prev%%"
     SET "prev=%%A"
    )
    SET admins=%admins:*- =%
    ECHO admins are "%admins%"
    Pause
    GOTO :EOF

                             


    Samar

    Thursday, April 3, 2014 7:06 AM
  • HI jrv & David,

                         Thanks for your help ,But if doesn't helped me out in solving this issue.Below is the script I had written to find the user having admin rights or not.

                       But it is showing all the users in the admin group.I would like to get only single user who is having admin rights by passing parameter.Hope you help me  

     

    @ECHO OFF
    SETLOCAL
    SET "admins="
    SET "prev="
    FOR /f "delims=" %%A IN ('net localgroup administrators') DO (
     CALL SET "admins=%%admins%% %%prev%%"
     SET "prev=%%A"
    )
    SET admins=%admins:*- =%
    ECHO admins are "%admins%"
    Pause
    GOTO :EOF

                             


    Samar

    Sorry but that won't work.  If the user is in a domain group you would have you find the domain group and query that.


    ¯\_(ツ)_/¯

    Thursday, April 3, 2014 7:19 AM
  • Here.  This does that in PowerShell:

    if((net localgroup administrators) -contains 'jsmith'){'User is in admin group'}


    ¯\_(ツ)_/¯


    • Edited by jrv Thursday, April 3, 2014 7:23 AM
    Thursday, April 3, 2014 7:22 AM
  • Here is the shell version of the above:

    net localgroup administrators|findstr jsmith
    if %errorlevel% == 0 echo is admin


    ¯\_(ツ)_/¯


    • Edited by jrv Thursday, April 3, 2014 7:25 AM
    • Marked as answer by Samar SharePoint 2010 Thursday, April 3, 2014 10:36 AM
    Thursday, April 3, 2014 7:23 AM
  • Hi Jrv,

               Thanks for your rapid reply.But I required only batch script.Hope you look further in solving this issue


    Samar

    Thursday, April 3, 2014 9:15 AM
  • HI Jrv,

                Thanks for your great effort


    Samar

    Thursday, April 3, 2014 10:35 AM
  • There are at least two problems with this solution:

    1. It won't work if the group is not named 'Administrators'

    2. It won't work if the user is a member of a group that's a member of Administrators (nested group)

    It also won't tell you if you're running elevated, which is a separate question.

    What's provoking the question (what problem are you trying to solve)?


    -- Bill Stewart [Bill_Stewart]

    Thursday, April 3, 2014 2:51 PM
    Moderator
  • I was goug to address the issue of being an admin without being in an admin group.

    There is only one way to detect all conditions.

    Run elevated.  

    PS C:\scripts> whoami /priv
    
    PRIVILEGES INFORMATION
    ----------------------
    
    Privilege Name                  Description                               State
    =============================== ========================================= ========
    SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
    SeSecurityPrivilege             Manage auditing and security log          Disabled
    SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
    SeLoadDriverPrivilege           Load and unload device drivers            Disabled
    SeSystemProfilePrivilege        Profile system performance                Disabled
    SeSystemtimePrivilege           Change the system time                    Disabled
    SeProfileSingleProcessPrivilege Profile single process                    Disabled
    SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
    SeCreatePagefilePrivilege       Create a pagefile                         Disabled
    SeBackupPrivilege               Back up files and directories             Disabled
    SeRestorePrivilege              Restore files and directories             Disabled
    SeShutdownPrivilege             Shut down the system                      Disabled
    SeDebugPrivilege                Debug programs                            Enabled
    SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
    SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
    SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
    SeUndockPrivilege               Remove computer from docking station      Disabled
    SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
    SeImpersonatePrivilege          Impersonate a client after authentication Enabled
    SeCreateGlobalPrivilege         Create global objects                     Enabled
    SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
    SeTimeZonePrivilege             Change the time zone                      Disabled
    SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled
    PS C:\scripts>

    These privileges can be directly granted in the system policy.  THe user can have admmin rights but detecting the group will not work.

    You can also use Net to check InRole because it cheks the privileges directly.


    ¯\_(ツ)_/¯



    I repeat this for clarity.  There is also an SDK utility that will retrieve local permissions of a specific user.  I believe it is called "perms"

    ¯\_(ツ)_/¯

    Thursday, April 3, 2014 2:54 PM
  • Correct. I suspect the real question is, "how can I tell if I'm running elevated?"

    If that isn't the real question, then the OP needs to clarify.


    -- Bill Stewart [Bill_Stewart]

    Thursday, April 3, 2014 3:02 PM
    Moderator
  • SysInternals has a utility but it can only be run by an admin locally.  "AccessChk"


    ¯\_(ツ)_/¯

    Thursday, April 3, 2014 3:10 PM
  • That's more awkward in a batch file.  "Whoami /groups" still tells you if you're elevated, by checking the Attributes column (which, in English, will contain the string "Group used for deny only" on the Administrators line.  Not sure if this text gets localized into other languages.)

    In PowerShell, it would be easier to detect elevation without any string parsing.  (This is a bit of a long command; it can be split across multiple lines, if desired.)

    #
    
    $isElevated = ([System.Security.Principal.WindowsPrincipal][System.Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
    
    #

    Thursday, April 3, 2014 3:12 PM
  • If third-party utilities are OK, you can use IsAdmin.exe to detect if the current process is elevated. It returns an exit code of 1 if the process is elevated.

    http://www.westmesatech.com/wast.html


    ...
    isadmin.exe -q
    if %ERRORLEVEL% EQU 2 goto :ELEVATED
    ...
    


    -- Bill Stewart [Bill_Stewart]

    Thursday, April 3, 2014 3:17 PM
    Moderator
  • You can also run the following to detect if Admin and running under UAC in PowerShell.

    [bool]((whoami /groups) -match "S-1-16-12288")
    

    Reference:

    http://msdn.microsoft.com/en-us/library/bb625963.aspx


    Boe Prox
    Blog | Twitter
    PoshWSUS | PoshPAIG | PoshChat | PoshEventUI
    PowerShell Deep Dives Book

    Thursday, April 3, 2014 5:01 PM
    Moderator
  • You can also run the following to detect if Admin and running under UAC in PowerShell.

    [bool]((whoami /groups) -match "S-1-16-12288")

    Reference:

    http://msdn.microsoft.com/en-us/library/bb625963.aspx


    Boe Prox
    Blog | Twitter
    PoshWSUS | PoshPAIG | PoshChat | PoshEventUI
    PowerShell Deep Dives Book


    That's handy! Makes it easier in a batch file as well.
    Thursday, April 3, 2014 5:09 PM
  • HI All,

              By passing the server name and user name as parameter and I want to find weather user name passed in parameter holding admin rights or not.Can any one help me how can I do this.



    Samar

    Friday, April 4, 2014 1:48 PM
  • Cannot be done without special tools.


    ¯\_(ツ)_/¯

    Friday, April 4, 2014 2:17 PM
  • Cannot be done without special tools.


    ¯\_(ツ)_/¯

    Seriously?

    http://blogs.technet.com/b/heyscriptingguy/archive/2013/10/27/the-admin-s-first-steps-local-group-membership.aspx

    Using these techniques should get the job done, don't you think?

    For a domain environment, if the user's account is added to the Built-in Administrators group, shouldn't be that hard. But, if the user is part of some Active Directory group added to the Built-in Administrators group, that should be checked too.


    Sunday, April 6, 2014 8:23 AM
  • Cannot be done without special tools.


    ¯\_(ツ)_/¯

    Seriously?

    http://blogs.teThat chnet.com/b/heyscriptingguy/archive/2013/10/27/the-admin-s-first-steps-local-group-membership.aspx

    Using these techniques should get the job done, don't you think?

    For a domain environment, if the user's account is added to the Built-in Administrators group, shouldn't be that hard. But, if the user is part of some Active Directory group added to the Built-in Administrators group, that should be checked too.


    That is not the question you asked.  A user can have admin rights without being in any special group.  This is one of the things that most untrained Windows techs fail to understand.  Group membership is only one way to assign rights.  THe other way is through direct assignment.  How else do you think the groups could get rights.

    ¯\_(ツ)_/¯

    Sunday, April 6, 2014 1:20 PM
  • A user can have admin rights without being in any special group.  This is one of the things that most untrained Windows techs fail to understand.  Group membership is only one way to assign rights.  THe other way is through direct assignment.  How else do you think the groups could get rights.

    ¯\_(ツ)_/¯

    Ok, thanx for this, will look it up and train myself if I can. =)

    But it would definitely be a good starting point. Cheers!

    Monday, April 7, 2014 2:44 PM
  • Just try to find out where permissions come from.  What part of Windows is responsible for this.  Why doesn't just adding someone to Domain Admin group guarantee admin rights.

    How come two groups identical in every way except name have different "right granting" ability?

    What is the difference between "rights", "privileges"  and "permissions" and why?

    This is something that every Windows tech from 'Desktop Help' to 'Domain Admin' must know.


    ¯\_(ツ)_/¯


    • Edited by jrv Monday, April 7, 2014 4:52 PM
    Monday, April 7, 2014 4:50 PM
  • Here is a good article on half of this issue.  The explanation of "privileges" and "Permissions" is in the same neighborhood. This gets you halfway to understanding how an account gain administrator rights.

    Your original question asks about "permissions"  in reality there is no such thing as "admin" permissions.  What you can find is if an account has enough rights to act as an administrator.

    If you read all of the lined subject you will find that "permissions" can be granted to any account on any object.  "Permissions" can be seen as "level of access" to an object such as a file or folder.

    So the questions are...?


    ¯\_(ツ)_/¯

    Monday, April 7, 2014 5:01 PM
  • It is interesting how no amount of coaxing will get an answer to a question that is asked incorrectly;)


    ¯\_(ツ)_/¯

    Monday, April 7, 2014 5:23 PM