问题
I needed to check whether the currently logged on user is an administrator however found that just using 'net localgroup administrators' was insufficient when it came to AD groups being a member of the administrators group.
[Edit:] It is easy to confuse administrator privilege in general with elevated privileges of a specific instance and I just want to highlight that this question/answer does not deal with process elevation status checking. The requirement is to generally ascertain whether or not a logged on user is an administrators group member. Much more common is the need to determine whether or not your script is running with administrator privileges. If this is what you require then please look here instead: Administrative privileges
In this particular case, there is a policy disabling the admin shares (ruling out a previous technique I used with Windows XP of testing for the existence of the admin share using \127.0.0.1\admin$ to determine if the current user is an administrator). [/Edit]
Below is the code I gathered and wrote see if the logged on user is an administrator.
I hope this helps someone else who requires the same thing that I did.
If anyone can provide a more elegant solution it would be appreciated!
回答1:
If you want to determine if the current user is a member of the local Administrators group (even if not elevated), here are some options.
whoami /groups /fo csv | convertfrom-csv | where-object { $_.SID -eq "S-1-5-32-544" }
You can also use isadmin.exe (https://westmesatech.com/?page_id=23) and check for an exit code of 2 (member of administrators, but not enabled, hence not elevated).
回答2:
As noted, membership in the local Administrators group is not sufficient to determine if the current process is elevated. You can test for elevation in PowerShell like this:
$elevated = ([Security.Principal.WindowsPrincipal] `
[Security.Principal.WindowsIdentity]::GetCurrent()
).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
回答3:
Using the SID:
([Security.Principal.WindowsIdentity]::GetCurrent().Groups | Select-String 'S-1-5-32-544')
Or using a "Well-known" security identifier name:
([Security.Principal.WindowsIdentity]::GetCurrent().Groups.IsWellKnown('BuiltinAdministratorsSid') -eq $true)
if you want to get all the SIDs and their names, please check this page: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
回答4:
Thanks for the heads-up Bill - apologies, it was very late and I'm working 7-days/wk since Christmas.
Function IsCurrentUserAdmin( [String] $UserName )
# Returns true if current user in in the administrators group (directly or nested group) and false if not.
{
$group = [ADSI] "WinNT://./Administrators,group" # http://stackoverflow.com/questions/16617307/check-if-an-account-is-a-member-of-a-local-group-and-perform-an-if-else-in-power
$members = @($group.psbase.Invoke("Members"))
$AdminList = ($members | ForEach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)})
If ($AdminList -contains $UserName) {
Return $true
} Else {
# Adapted $LocalUsers from http://www.powertheshell.com/finding-local-user-accounts-in-powershell-3-0/
$LocalUsers = net user | Select-Object -Skip 4
$LocalUsers = ($LocalUsers | Select-Object -First ($LocalUsers.Count - 2)).Trim()
ForEach ($Item In $AdminList) {
If (($LocalUsers.Contains($Item)) -eq $false) {
# Lookup each AD group that is a member of the local administrators group and see if the current user is a member and return true if found
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole($Item) -eq $true) { Return $true }
}
}
Return $false
}
}
# Check if logged on user is an administrators group member and quit this program if so (to enable admins to manually install long-running software etc without logoff risk / disruption)
$UserName = ${Env:UserName}
[Bool] $AdminTest = IsCurrentUserAdmin $UserName
If ($AdminTest -eq $True) {
# Do something
} Else {
# Do something else
}
来源:https://stackoverflow.com/questions/29129787/check-if-logged-on-user-is-an-administrator-when-non-elevated