How to check if user is an administrator on that machine

Question

I need to check if a user is an administrator on the machine where the application is running. Basically, the user will provide the username, password and domain, possibly from another machine. These are transmitted over WCF and at this stage I need to verify whether the provided username, password and domain have admin rights on that machine. This means that there is no need for WMI since everything is happening locally (the user simply sent the username, password, domain as strings over WCF)

Users can be on a domain and hence linked to Active Directory but can can also be a local user, which means that I cannot reply to look it up from Active Directory.

I managed to impersonate the user and can verify that this user is an administrator in the local group. I tested this using the following command:

net localgroup administrators

I am now creating a WindowsPrincipal with the current impersonated user. However, I am getting false when checking if this user is an admin. Here is the important code:

// obtains user token
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, 
    int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

// closes open handes returned by LogonUser
[DllImport("kernel32.dll", CharSet=CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle);

// creates duplicate token handle
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, 
    int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);

bool bImpersonated = LogonUser(sUsername, sDomain, sPassword,  LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref pExistingTokenHandle);

bool bRetVal = DuplicateToken(pExistingTokenHandle, (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, ref pDuplicateTokenHandle);

WindowsIdentity newId = new WindowsIdentity(pDuplicateTokenHandle);
WindowsImpersonationContext impersonatedUser = newId.Impersonate();
WindowsPrincipal wp = new WindowsPrincipal(WindowsIdentity.GetCurrent());

if (wp.IsInRole(WindowsBuiltInRole.Administrator))
{
    //is admin
}
else
{
    //is not an admin (I am still getting this when user is an admin)
}

bImpersonated returns true (so Impersonation worked) bRetVal also returns true (so token is valid)

The Impersonation code is from here (except for the Admin check)

Any help would be greatly appreciated.

Impersonate the user, then get the active principal, then check `IsInRole`? — Peter Ritchie, Oct 01 '14 at 17:23
@PeterRitchie this looks good but for some reason IsInRole(WindowsBuiltInRole.Administrator) is always returning false (for both local account and domain accounts). Any ideas? — seedg, Oct 02 '14 at 07:30
Have you tried [this](http://stackoverflow.com/questions/1089046/in-net-c-test-if-user-is-an-administrative-user)? — 500 - Internal Server Error, Oct 02 '14 at 09:58
See http://stackoverflow.com/questions/2674182/calling-iprincipal-isinrole-on-windows-7 — Peter Ritchie, Oct 02 '14 at 12:17

score 1 · Answer 1 · answered Oct 02 '14 at 09:59

I use a check by token :

private static Boolean IsAdministratorByToken(WindowsIdentity identity)
{
    WindowsPrincipal principal = new WindowsPrincipal(identity);

    // Check if this user has the Administrator role. If they do, return immediately.
    // If UAC is on, and the process is not elevated, then this will actually return false.
    if (principal.IsInRole(WindowsBuiltInRole.Administrator))
    {
        return true;
    }

    // If we're not running in Vista onwards, we don't have to worry about checking for UAC.
    if (Environment.OSVersion.Platform != PlatformID.Win32NT || Environment.OSVersion.Version.Major < 6)
    {
        // Operating system does not support UAC; skipping elevation check.
        return false;
    }

    int tokenInfLength = Marshal.SizeOf(typeof(int));
    IntPtr tokenInformation = Marshal.AllocHGlobal(tokenInfLength);

    try
    {
        IntPtr token = identity.Token;
        Boolean result = NativeMethods.GetTokenInformation(token, NativeMethods.TokenInformationClass.TokenElevationType, tokenInformation, tokenInfLength, out tokenInfLength);

        if (!result)
        {
            Exception exception = Marshal.GetExceptionForHR(Marshal.GetHRForLastWin32Error());
            throw new InvalidOperationException("Couldn't get token information", exception);
        }

        NativeMethods.TokenElevationType elevationType = (NativeMethods.TokenElevationType)Marshal.ReadInt32(tokenInformation);

        switch (elevationType)
        {
            case NativeMethods.TokenElevationType.TokenElevationTypeDefault:
                // TokenElevationTypeDefault - User is not using a split token, so they cannot elevate.
                return false;

            case NativeMethods.TokenElevationType.TokenElevationTypeFull:
                // TokenElevationTypeFull - User has a split token, and the process is running elevated. Assuming they're an administrator.
                return true;

            case NativeMethods.TokenElevationType.TokenElevationTypeLimited:
                // TokenElevationTypeLimited - User has a split token, but the process is not running elevated. Assuming they're an administrator.
                return true;

            default:
                // Unknown token elevation type.
                return false;
        }
    }
    finally
    {
        if (tokenInformation != IntPtr.Zero)
        {
            Marshal.FreeHGlobal(tokenInformation);
        }
    }
}

this is from this blog.

You can also check by using PrincipalContext, but this solution doesn't work if Server Service is not running.

score 1 · Answer 2 · answered May 17 '17 at 14:23

Code from Xaruth is wrong about TokenElevationTypeLimited, in that case, you should return false and also for build in administrator you will get TokenElevationTypeDefault, so in that case, check if the user is admin instead of just returning false. Here is code from this post: https://candritzky.wordpress.com/2012/08/28/uac-elevation-and-the-default-administrator-account/

/// <summary>
/// Base on code found here:
/// http://stackoverflow.com/questions/1220213/c-detect-if-running-with-elevated-privileges
/// </summary>
public static class UacHelper
{
    private const string uacRegistryKey = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System";
    private const string uacRegistryValue = "EnableLUA";

    private const uint STANDARD_RIGHTS_READ = 0x00020000;
    private const uint TOKEN_QUERY = 0x0008;
    private const uint TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);

    [DllImport("advapi32.dll", SetLastError = true)]
    [return: MarshalAs(UnmanagedType.Bool)]
    static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);

    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool GetTokenInformation(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass,
        IntPtr TokenInformation, uint TokenInformationLength,
        out uint ReturnLength);

    public enum TOKEN_INFORMATION_CLASS
    {
        TokenUser = 1,
        TokenGroups,
        TokenPrivileges,
        TokenOwner,
        TokenPrimaryGroup,
        TokenDefaultDacl,
        TokenSource,
        TokenType,
        TokenImpersonationLevel,
        TokenStatistics,
        TokenRestrictedSids,
        TokenSessionId,
        TokenGroupsAndPrivileges,
        TokenSessionReference,
        TokenSandBoxInert,
        TokenAuditPolicy,
        TokenOrigin,
        TokenElevationType,
        TokenLinkedToken,
        TokenElevation,
        TokenHasRestrictions,
        TokenAccessInformation,
        TokenVirtualizationAllowed,
        TokenVirtualizationEnabled,
        TokenIntegrityLevel,
        TokenUIAccess,
        TokenMandatoryPolicy,
        TokenLogonSid,
        MaxTokenInfoClass
    }

    public enum TOKEN_ELEVATION_TYPE
    {
        TokenElevationTypeDefault = 1,
        TokenElevationTypeFull,
        TokenElevationTypeLimited
    }

    private static bool? _isUacEnabled;

    public static bool IsUacEnabled
    {
        get
        {
            if (_isUacEnabled == null)
            {
                var uacKey = Registry.LocalMachine.OpenSubKey(uacRegistryKey, false);
                if (uacKey == null)
                {
                    _isUacEnabled = false;
                }
                else
                {
                    var enableLua = uacKey.GetValue(uacRegistryValue);
                    _isUacEnabled = enableLua.Equals(1);
                }
            }
            return _isUacEnabled.Value;
        }
    }

    private static bool? _isAdministrator;

    public static bool IsAdministrator
    {
        get
        {
            if (_isAdministrator == null)
            {
                var identity = WindowsIdentity.GetCurrent();
                Debug.Assert(identity != null);
                var principal = new WindowsPrincipal(identity);
                _isAdministrator = principal.IsInRole(WindowsBuiltInRole.Administrator);
            }
            return _isAdministrator.Value;
        }
    }

    private static bool? _isProcessElevated;

    public static bool IsProcessElevated
    {
        get
        {
            if (_isProcessElevated == null)
            {
                if (IsUacEnabled)
                {
                    var process = Process.GetCurrentProcess();

                    IntPtr tokenHandle;
                    if (!OpenProcessToken(process.Handle, TOKEN_READ, out tokenHandle))
                    {
                        throw new ApplicationException("Could not get process token.  Win32 Error Code: " +
                                                       Marshal.GetLastWin32Error());
                    }

                    var elevationResult = TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault;

                    var elevationResultSize = Marshal.SizeOf((int) elevationResult);
                    uint returnedSize;
                    var elevationTypePtr = Marshal.AllocHGlobal(elevationResultSize);

                    var success = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenElevationType,
                        elevationTypePtr, (uint) elevationResultSize, out returnedSize);
                    if (!success)
                    {
                        Marshal.FreeHGlobal(elevationTypePtr);
                        throw new ApplicationException("Unable to determine the current elevation.");
                    }

                    elevationResult = (TOKEN_ELEVATION_TYPE) Marshal.ReadInt32(elevationTypePtr);
                    Marshal.FreeHGlobal(elevationTypePtr);

                    // Special test for TokenElevationTypeDefault.
                    // If the current user is the default Administrator, then the
                    // process is also assumed to run elevated. This is assumed 
                    // because by default the default Administrator (which is disabled by default) 
                    //  gets all access rights even without showing a UAC prompt.
                    switch (elevationResult)
                    {
                        case TOKEN_ELEVATION_TYPE.TokenElevationTypeFull:
                            _isProcessElevated = true;
                            break;
                        case TOKEN_ELEVATION_TYPE.TokenElevationTypeLimited:
                            _isProcessElevated = false;
                            break;
                        default:
                            // Will come here if either
                            // 1. We are running as the default Administrator.
                            // 2. We were started using "Run as administrator" from a non-admin
                            //    account and logged on as the default Administrator account from
                            //    the list of available Administrator accounts.
                            //
                            // Note: By default the default Administrator account always behaves 
                            //       as if UAC was turned off. 
                            //
                            // This can be controlled through the Local Security Policy editor 
                            // (secpol.msc) using the 
                            // "User Account Control: Use Admin Approval Mode for the built-in Administrator account"
                            // option of the Security Settings\Local Policies\Security Options branch.
                            _isProcessElevated = IsAdministrator;
                            break;
                    }
                }
                else
                {
                    _isProcessElevated = IsAdministrator;
                }
            }
            return _isProcessElevated.Value;
        }
    }
}

How to check if user is an administrator on that machine

2 Answers2