7

I need to check whether the user executing the script has administrative privileges on the machine.

I have specified the user executing the script because the script could have been executed with a user other than the logged on using something similar to "Runas".

@Javier: Both solutions work in a PC with an English version of Windows installed but not if the installed is in different language. This is because the Administrators group doesn't exist, the name is different for instance in Spanish. I need the solution to work in all configurations.

niton
  • 8,771
  • 21
  • 32
  • 52
Javier De Pedro
  • 2,219
  • 4
  • 32
  • 49

10 Answers10

4

By doing this you break scenarios where the user has the required privs for your script but does not belong to Administrators. Instead of checking for group membership, check for the specific abilities you require.

Jay Bazuzi
  • 45,157
  • 15
  • 111
  • 168
  • I agree it would be a better way to implement it but it's a requeriment that the user has administrative privileges to install the software so in my opinion checking that would be easier. – Javier De Pedro Nov 19 '08 at 16:01
4

I know this thread is very old and marked answered but the answer isn't really giving what the OP asked about.

For anyone else searching and finding this page, here is an alternative that does report based on rights not group membership so Runas Administrator shows admin rights as True.

Option Explicit 

msgbox isAdmin(), vbOkonly, "Am I an admin?"

Private Function IsAdmin()
    On Error Resume Next
    CreateObject("WScript.Shell").RegRead("HKEY_USERS\S-1-5-19\Environment\TEMP")
    if Err.number = 0 Then 
        IsAdmin = True
    else
        IsAdmin = False
    end if
    Err.Clear
    On Error goto 0
End Function
RLH
  • 1,545
  • 11
  • 12
  • This was able to detect when I had opened MS Access "As Administrator" or not. Tested on Windows 10 64-bit with Office 2016 32-bit. – Ben Apr 08 '20 at 03:13
3

You can use script if you want to see if the logged on user is an administrator

Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
strUser = objNetwork.UserName

isAdministrator = false

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser in objGroup.Members
    If objUser.Name = strUser Then
        isAdministrator = true        
    End If
Next

If isAdministrator Then
    Wscript.Echo strUser & " is a local administrator."
Else
    Wscript.Echo strUser & " is not a local administrator."
End If

I am not sure how to handle it when the script is run with "Runas" I am afraid.

Tim C
  • 70,053
  • 14
  • 74
  • 93
  • Hi Tim C, thanks. I checked it an it seems it works fine also in my case. The UserName I get is not the logged one but the one the script is being executed. Just one comment. It is a bit slowly. I am calling this script from the startup of an HTML page and it takes about 2/3 seconds. – Javier De Pedro Nov 19 '08 at 14:30
  • 2
    This doesn't work if the user is not directly in the Administrators group but via some group membership. – Heinzi Oct 21 '09 at 08:43
3

What about checking for "\\computername\Admin$\system32"?

function IsLoggedInAsAdmin()
    isAdmin = false
    set shell = CreateObject("WScript.Shell")
    computername = WshShell.ExpandEnvironmentStrings("%computername%")
    strAdmin = "\\" & computername & "\Admin$\System32"

    isAdmin = false

    set fso = CreateObject("Scripting.FileSystemObject")

    if fso.FolderExists(strAdmin) then
        isAdmin = true
    end if

    IsLoggedInAsAdmin = isAdmin
end function
JohnZaj
  • 3,080
  • 5
  • 37
  • 51
2

Ive tried Tim C's solution on a Windows 7 box on my company network where I do actually have admin rights. But it shows my user as not having admin rights.

Instead I used a hackier method, as calling "defrag" in the cmd prompt requires admin access. While it works, be wary that XP and 7 (and possibly future versions of Windows) differ in the return code. There may be more consistent choices than defrag, but it works for now.

Function isAdmin
    Dim shell
    set shell = CreateObject("WScript.Shell")
    isAdmin = false
    errlvl = shell.Run("%comspec% /c defrag /?>nul 2>nul", 0, True)
    if errlvl = 0 OR errlvl = 2 Then '0 on Win 7, 2 on XP
        isAdmin = true
    End If
End Function
Dss
  • 2,162
  • 1
  • 24
  • 27
1

Yet another quick n dirty method. Returns <> 0 If IsNotAdmin

Function IsNotAdmin()
    With CreateObject("Wscript.Shell")
        IsNotAdmin = .Run("%comspec% /c OPENFILES > nul", 0, True)
    End With
End Function
spudw
  • 11
  • 1
  • When I'm already running "As Administrator" this is prompting me for UAC program elevation and returns 0 if I pick Yes. When running under my normal account it returns 1 but has no UAC prompt. I'm not a fan of this method. – Ben Apr 08 '20 at 03:01
1

This article has a nice chunk of code on how to enumerate the members of a group (copied here for convenience and edited to not use email address):

Function RetrieveUsers(domainName,grpName)

dim GrpObj
dim mbrlist
dim mbr

'-------------------------------------------------------------------------------
' *** Enumerate Group Members ***
'-------------------------------------------------------------------------------

' Build the ADSI query and retrieve the group object
Set GrpObj = GetObject("WinNT://" & domainName & "/" & grpName & ",group")

' Loop through the group membership and build a string containing the names
for each mbr in GrpObj.Members
   mbrlist = mbrlist & vbTab & mbr.name & vbCrLf
Next

RetrieveUsers=mbrlist

End Function

You can then write a function to see if a user is in the list...

Function IsAdmin(user)
    IsAdmin = InStr(RetrieveUsers("MachineName", "Administrators"), user) > 0
End Function

...and call it like this:

If IsAdmin("LocalAccount") Then
    Wscript.Echo "LocalAccount is an admin"
Else
    Wscript.Echo "LocalAccount is not an admin"
End If
Patrick Cuff
  • 28,540
  • 12
  • 67
  • 94
1

User may be not in local administrator group. For example - domain admins. UAC usually blocks admin access to registry, shares e.t.c. even for administrators(onl y manual "run as admin" gets right)...

Here is my crazy way:

Set Shell = CreateObject("WScript.Shell")
set fso = CreateObject("Scripting.FileSystemObject")
strCheckFolder = Shell.ExpandEnvironmentStrings("%USERPROFILE%") 
strCheckFolder = strCheckFolder+"\TempFolder"

if fso.FolderExists(strCheckFolder) then
        fso.DeleteFolder(strCheckFolder)
end if

fso.CreateFolder(strCheckFolder)
tempstr = "cmd.exe /u /c chcp 65001 | whoami /all >" & strCheckFolder & "\rights.txt"
Shell.run tempstr

tempstr = strCheckFolder & "\rights.txt"
WScript.Sleep 200
Set txtFile = FSO.OpenTextFile(tempstr,1)

IsAdmin = False

Do While Not txtFile.AtEndOfStream
  x=txtFile.Readline
  If InStr(x, "S-1-5-32-544") Then
      IsAdmin = True
  End If
Loop

txtFile.Close
OlegSu
  • 11
  • 1
0
Function isAdmin
    Dim shell
    Set shell = CreateObject("WScript.Shell")
    isAdmin = false
    errorLevel = shell.Run("%comspec% /c net session >nul 2>&1", 0, True)
    if errorLevel = 0
        isAdmin = true
    End If
End Function
lygstate
  • 564
  • 6
  • 12
0

Using "localhost" instead of the real hostname increases the script runtime about 10x!
My final code is:

' get_admin_status.vbs
Option Explicit

Dim oGroup:   Set oGroup   = GetObject("WinNT://localhost/Administrators,group")
Dim oNetwork: Set oNetwork = CreateObject("Wscript.Network")

Dim sSearchPattern: sSearchPattern = "WinNT://" & oNetwork.UserDomain & "/" & oNetwork.UserName

Dim sMember
For Each sMember In oGroup.Members
  If sMember.adsPath = sSearchPattern Then
    ' Found...
    Call WScript.Quit(0)
  End If
Next

' Not found...
Call WScript.Quit(1)

This script returns exit code 0 if the current user is a local admin.
Usage: cscript.exe get_admin_status.vbs

Stefan Bohlein
  • 91
  • 2
  • 4