stackoom
  简体   繁体   中英

Universal test for Admin privileges

 原文  2016-03-05 11:01:02       powershell

Question

Is there a single guaranteed method to test if the current user has admin rights? I have tried this 

$isAdmin = (new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole("Administrators")

And it works, as long as Windows was originally installed in English. If Windows is installed in Spanish you have to test for Administra d ors. And there are a few other languages that work similarly. My first thought is to just test for all the possible spellings, but if there is something simple, elegant and foolproof, that would be my preference.

2 answers

solution1
 4  2016-03-05 18:14:06

You are calling the String definition of the IsInRole Method, and this is why you have problems in different languages.

If you will look at the IsInRole OverLoadDefinitions you'll see that the first Defintion is a String which is the definition you are calling in your code 

OverloadDefinitions
-------------------
bool IsInRole(string role)
bool IsInRole(System.Security.Principal.WindowsBuiltInRole role)
bool IsInRole(int rid)
bool IsInRole(System.Security.Principal.SecurityIdentifier sid)
bool IPrincipal.IsInRole(string role)

This string-based overload shares the same disadvantage of the NET LOCALGROUP Administrators command, it relies on group names which are not the same in different OS Languages.

To solve this problem, use the System.Security.Principal.WindowsBuiltInRole OverLoadDefinition: 

$role = [System.Security.Principal.WindowsBuiltInRole] "Administrator"

And check against this role instead: 

$isAdmin = (new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole($role)

This way you don't need to care about differrent OS languages

*To get all the available WindowsBuiltInRoles: 

[System.Enum]::GetValues([System.Security.Principal.WindowsBuiltInRole])

solution2
 1  2016-03-05 11:29:44

You can use the SID for Administrators as it's a well-known SID (static).

SID: S-1-5-32-544

Name: Administrators

Description: A built-in group. After the initial installation of the operatingsystem, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. 

$isAdmin = (new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole(([System.Security.Principal.SecurityIdentifier]"S-1-5-32-544"))

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Setting custom shell with admin privileges How to run PowerShell task with admin privileges in Azure Devops pipeline Run PowerShell script with admin privileges and bypass execution policy How to run PowerShell with admin privileges from current folder? How to restart graphics drivers with Powershell or C# without admin privileges Difference between a local admin account and a user with admin privileges. for encryption GPO Bitlocker How can I start a process with admin privileges and in high-priority/real-time from a batch file? Permission denied when trying to use Python in Windows PowerShell, even with admin privileges Using powershell I'd like to get a list of people who have admin privileges for a domain? Test admin rights within PowerShell script?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM