none
PS: check if logged on user is local admin RRS feed

  • Question

  • Hi,

    I'd like to see if a remote logged on user is local admin or not.

    For that, I enumerate the local admins of the remote computer:
    $localadmins = Get-LocalGroupMember -Computername $ComputerName -Name 'Administrators'

    Then check the username (via last loaded profile):
    $username = $((Get-WmiObject -ErrorAction Continue -ComputerName $computername -Class Win32_UserProfile -Filter "Special='False'" |  select @{Name='UserName';Expression={Split-Path $_.LocalPath -Leaf}}, LocalPath, Loaded, @{Name='LastUsed';Expression={$_.ConvertToDateTime($_.LastUseTime)}}, PSComputerName | sort LastUsed -Descending)[0]).username

    Then check if user is part of localadmin:
    if ($localadmins -contains $username) {$result = 'LOCALADMIN!'}
    else { $Result = 'No local admin'}

    But the problem is that when I setup a remote session, I'm the $username :-)
    I could check for quser but I was hoping for a much simpeler approach. Then also I'm not listing the administrators recursive (that would take to much time).

    Please advise.
    J.

    Jan Hoedt

    Thursday, February 9, 2017 3:45 PM

Answers

  • function Test-LocalAdmins
    {
      param($ComputerName )
    
      Write-Verbose "Getting LocalAdmins of $ComputerName"  
      $localadmins = Get-LocalGroupMember -Computername $ComputerName -Name 'Administrators'
      
      Write-Verbose "Getting logged on user of $ComputerName" 
      try {
        $Username = (Get-WmiObject -ErrorAction SilentlyContinue –ComputerName $computername –Class Win32_ComputerSystem | Select-Object UserName).username.split('\')[1]
      }
      catch { 
        $username = 'N/A'
      }
    
    
      if ($username -ne 'N/A'){
        if ($localadmins -contains $username) 
        {
          $result = 'LocalAdmin'
          Write-Host "$Username is $Result on $ComputerName" -ForegroundColor Red
              }
              Else 
              {
                $result = 'NoLocalAdmin'
                Write-Host "$Username is $Result $ComputerName" -ForegroundColor Green
              }      
            }
            else {
              $result = 'Could not find any logged on users. Rerun when user is logged on to see if he/she is local admin.'  
              Write-host $Result -ForegroundColor Green
            }
    
    } 


    Jan Hoedt

    • Marked as answer by janhoedt Wednesday, February 15, 2017 9:21 AM
    Thursday, February 9, 2017 4:55 PM

All replies

  • function Test-LocalAdmins
    {
      param($ComputerName )
    
      Write-Verbose "Getting LocalAdmins of $ComputerName"  
      $localadmins = Get-LocalGroupMember -Computername $ComputerName -Name 'Administrators'
      
      Write-Verbose "Getting logged on user of $ComputerName" 
      try {
        $Username = (Get-WmiObject -ErrorAction SilentlyContinue –ComputerName $computername –Class Win32_ComputerSystem | Select-Object UserName).username.split('\')[1]
      }
      catch { 
        $username = 'N/A'
      }
    
    
      if ($username -ne 'N/A'){
        if ($localadmins -contains $username) 
        {
          $result = 'LocalAdmin'
          Write-Host "$Username is $Result on $ComputerName" -ForegroundColor Red
              }
              Else 
              {
                $result = 'NoLocalAdmin'
                Write-Host "$Username is $Result $ComputerName" -ForegroundColor Green
              }      
            }
            else {
              $result = 'Could not find any logged on users. Rerun when user is logged on to see if he/she is local admin.'  
              Write-host $Result -ForegroundColor Green
            }
    
    } 


    Jan Hoedt

    • Marked as answer by janhoedt Wednesday, February 15, 2017 9:21 AM
    Thursday, February 9, 2017 4:55 PM
  • You cannot remotely detect if the user is local admin if the user is a domain user.

    You can get the local user via "Win32_ComputerSystem.Username".  If the domain portion of the name matches the local machine name then you can check for membership in the local "Administrators" group.  If it doesn't match then you will have to check the "Domain Admins" group to determine the result.


    \_(ツ)_/

    Thursday, February 9, 2017 6:13 PM
  • There are GPO settings for managing memberships of the local Adminstrators groups on computers.


    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by Bill_StewartModerator Sunday, February 12, 2017 1:50 PM
    • Unproposed as answer by janhoedt Wednesday, February 15, 2017 9:23 AM
    Friday, February 10, 2017 4:30 AM
    Moderator
  • I don't want to manage local admins, I want to see if the logged on user is local admin.

    Jan Hoedt

    Wednesday, February 15, 2017 9:22 AM
  • I don't want to manage local admins, I want to see if the logged on user is local admin.

    Jan Hoedt

    As I pointed out above you cannot do that remotely if the user is a domain account because you cannot remotely know the domain accounts in the local admin group using WMI.  You can only tell hat if the user is a local account. 

    Your code cannot work because Get-LocalGroupMember does not have a "ComputerName" parameter.

    This also won't work for user logged in remotely.  You can use remoting for this if the remote has PS5 installed

    Invoke-Command -ScriptBlock {Get-LocalGroupMember administrators} -Computer $computer

    To get a remotely logged in user you have to enumerate the WIn32_Process and get the user name then check if it is a member of the domain admins or any group with admin authority. that may be in or nested in any group in the local administrators group.

    If you just want to know if a user account has been added to th local admins group then you can just use the remoting method and match the full account name.

    The following will check if the user is a direct member of the local Administrators group.

    $computer = 'somepc'
    if($username = (Get-WmiObject win32_ComputerSystem).username){ if(Get-WmiObject win32_group -filter 'Name="Administrators"' -ComputerName $computer | ForEach-Object{ $_.GetRelated('Win32_UserAccount') } | Where-Object{$_.Caption -eq $username }){ Write-Host 'logged on account is a member of local admins' }else{ Write-Host 'not a member' } }else{ Write-Host 'no one logged on' }


    \_(ツ)_/




    • Edited by jrv Wednesday, February 15, 2017 10:42 AM
    Wednesday, February 15, 2017 10:25 AM
  • One very simple way is to use an executable I wrote called isadmin.exe:

    http://www.westmesatech.com/wast.html

    When you run the executable, it returns an exit code 0 if the current user is not a member of Administrators, 1 if the current user is a member of Administrators and is running elevated, or 2 if the current user is a member of Administrators but is not running elevated.


    -- Bill Stewart [Bill_Stewart]

    Wednesday, February 15, 2017 3:48 PM
    Moderator
  • Your marked answer will fail if the group is not named "Administrators" (i.e., in other locales or if the group has been renamed).

    -- Bill Stewart [Bill_Stewart]

    Wednesday, February 15, 2017 4:04 PM
    Moderator
  • Thanks but I do not like 3rd party executables. You never know what's inside/what it is doing.
    PS gives you control and you know what is going on.

    Jan Hoedt

    Wednesday, February 15, 2017 4:06 PM
  • I know, but that is good enough for our enviroment.

    Jan Hoedt

    Wednesday, February 15, 2017 4:07 PM
  • (Get-WmiObject win32_computersystem).username is empty on my windows 2012 machine.
    If I run invoke-command -scriptblock { Get-WmiObject win32_ComputerSystem } -ComputerName remotehost
    the query takes about 1 minute so not usable for me.

    Jan Hoedt

    Wednesday, February 15, 2017 4:17 PM
  • I am puzzled about what it is you really need to know. What problem are you solving?

    -- Bill Stewart [Bill_Stewart]

    Wednesday, February 15, 2017 4:36 PM
    Moderator