none
Error in a PowerShell Script to check the user is part of admin group or not RRS feed

  • General discussion

  • Hello Everyone,
    I am running below script to verify whether user is part of admin group or not...But when I run it I get an error, please suggest me on this.

    $COMPUTER = [Environment]::MachineName
    $DOMAIN = [Environment]::UserDomainName
    $USERNAME = (Get-WmiObject win32_computersystem).username

    $NEWUSER = $username.Replace("$DOMAIN\", "")

    function Is-Admin
    {
    $identity = $NEWUSER
    $principal = New-Object System.Security.Principal.WindowsPrincipal($identity)
    $admin = [System.Security.Principal.WindowsBuiltInRole]::Administrator
    principal.IsInRole($admin)
    }
    $CHECK = Is-Admin
    Is-Admin
    Error comes as below :
    New-object : Cannot convert argument "0" with value:"XXXXX", FOR
    "WindowsPrincipal" to type "System.security.Principal.WindowsIdentity":
    "Cannot convert value "XXXXX" to type "System.security.Principal.WindowsIdentity".
    Error: Logon failure: the user has not been granted the requested logon type at this computer.
    • Edited by SinghAbhi Friday, April 8, 2016 12:10 PM
    Friday, April 8, 2016 12:08 PM

All replies

  • If have used:

    If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
    

    if the statement returns True, the current user is Administrator.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, April 8, 2016 12:33 PM
    Moderator
  • Actually that only tests elevation.

    There is no good way to check for admin remotely.  You would have to ,check local group then all enclosed groups. 

    When running as user we can use whoami to see the tokens.

    whoami /groups|where{$_ -match 'BUILTIN\\Administrators'}


    \_(ツ)_/

    Friday, April 8, 2016 3:08 PM
  • Thanks Richard, But it checks elevation. I am deploying the script in system context with admin mode so by default script will will be running in elevation.. We need to check whether the logged on user is in administrator group or not... according to the result we are doing some thing else with another script.
    Friday, April 8, 2016 5:16 PM
  • Thanks Jrv,but unfortunately unable to get any result from above line of script... our requirement is to check whether the logged on user is in administrator group or not.. 
    Friday, April 8, 2016 5:18 PM
  • Thanks Jrv,but unfortunately unable to get any result from above line of script... our requirement is to check whether the logged on user is in administrator group or not.. 

    If the logged on user is not a part of the admin group the result will be null.

    if(whoami /groups|where{$_ -match 'BUILTIN\\Administrators'}){
          'We are admin'
    }else{
          'we are not admin'
    }

    You cannot elevate a standard users.  Only admin accounts can be elevated.


    \_(ツ)_/

    Friday, April 8, 2016 5:22 PM
  • Hi Jrv,

    I tell you the complete scenario :

    We are running a script using SCCM tool, and SCCM runs this script in System context.

    We run this script on a machine using SCCM and check whether the user who is logged on this machine is in Administrator group or not.. If user is not in Admin group then we  add them in the admin Group.

    So any how we have to run this script using SCCM in System context...  If we check user who is running this will be always SYSTEM (System Context)... 

    But we want to know about the user who is logged on this machine, not the user who is running this script.

    Hope my requirement is clear to you...

    We used WMI in our script to achieve this but our script works fine on few machines but it gives this error on a remote machine....

    • Edited by SinghAbhi Friday, April 8, 2016 6:52 PM
    Friday, April 8, 2016 6:47 PM
  • It cannot be done the way you are trying to do it.  Post in SCCM forum for help ,with m managing users from SCCM task running under SYSTEM account.

    \_(ツ)_/

    Friday, April 8, 2016 6:58 PM
  • But we want to know about the user who is logged on this machine, not the user who is running this script.

    Why?


    -- Bill Stewart [Bill_Stewart]

    Friday, April 8, 2016 7:15 PM
    Moderator

  • But we want to know about the user who is logged on this machine, not the user who is running this script.

    You can get the user logged in to the console with WMI: Win32_ComputerSystem.UserName


    \_(ツ)_/

    Friday, April 8, 2016 7:33 PM
  • Thank you, I used the same in my script.
    Friday, April 8, 2016 9:45 PM