4

I have read the relevant Stack Overflow questions and tried out the following code:

WindowsIdentity identity = WindowsIdentity.GetCurrent();
if (null != identity)
{
WindowsPrincipal principal = new WindowsPrincipal(identity);
return principal.IsInRole(WindowsBuiltInRole.Administrator);
}
return false;

It does not return true even though I have manually confirmed that the current user is a member of the local built-in Administrators group.

What am I missing ?

Thanks.

Just Shadow
  • 10,860
  • 6
  • 57
  • 75
Darryl Hoar
  • 83
  • 1
  • 8
  • Do your code have different output when your "current user" run this code and run it as admin? – George Alexandria Jun 12 '17 at 19:37
  • 3
    You have to run the code as an administrator. If you're running through Visual Studio, then launch VS as an administrator first. – Rufus L Jun 12 '17 at 19:58
  • Ah, didn't realize it had to run as admin. I was using it in an winform application and wanted to be able to determine if the current user was an admin user or not. Back to the drawing board. Thanks. – Darryl Hoar Jun 12 '17 at 20:27
  • @RufusL, is it possible to check if current user has admin rights from application, running in no-admin mode? – Alexan Nov 29 '17 at 23:03
  • I believe so, let me post an answer below so you can try it – Rufus L Nov 30 '17 at 00:25

2 Answers2

5

Just found other way to check if user is admin, not running application as admin:

private static bool  IsAdmin()
        {
            WindowsIdentity identity = WindowsIdentity.GetCurrent();
            if (identity != null)
            {
                WindowsPrincipal principal = new WindowsPrincipal(identity);
                List<Claim> list = new List<Claim>(principal.UserClaims);
                Claim c = list.Find(p => p.Value.Contains("S-1-5-32-544"));
                if (c != null)
                    return true;
            }
            return false;
        }

Credit to this answer, but code is corrected a bit.

Alexan
  • 8,165
  • 14
  • 74
  • 101
  • This is the first reasonable (and fast code) answer I found to this question. All other answers I found in the web have been slow or did not work with UAC (or checked whether the current process is currently elevated) or did not work otehrwise. However instead of using hardcoded "S-1-5-32-544" you could use var sid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null) and then sid.Value. – user2261015 Sep 18 '19 at 10:13
  • 1
    Or as slightly improved version `private static bool IsAdmin() { var identity = WindowsIdentity.GetCurrent(); if (identity != null) { var sid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); var principal = new WindowsPrincipal(identity); return principal.UserClaims.Any(x => x.Value.Contains(sid.Value)); } return false; }` – user2261015 Sep 18 '19 at 10:23
3

The code you have above seemed to only work if running as an administrator, however you can query to see if the user belongs to the local administrators group (without running as an administrator) by doing something like the code below. Note, however, that the group name is hard-coded, so I guess you would have some localization work to do if you want to run it on operating systems of different languages.

using (var pc = new PrincipalContext(ContextType.Domain, Environment.UserDomainName))
{
    using (var up = UserPrincipal.FindByIdentity(pc, WindowsIdentity.GetCurrent().Name))
    {
        return up.GetAuthorizationGroups().Any(group => group.Name == "Administrators");
    }
}

Note that you can also get a list of ALL the groups the user is a member of by doing this inside the second using block:

var allGroups = up.GetAuthorizationGroups();

But this will be much slower depending on how many groups they're a member of. For example, I'm in 638 groups and it takes 15 seconds when I run it.

Rufus L
  • 36,127
  • 5
  • 30
  • 43
  • Note: This only works if you have a Domain Server in your network. Getting the exception "LDAP server not available". And you need a reference to 'System.DirectoryServices.AccountManagement'. – AndresRohrAtlasInformatik Jun 08 '22 at 09:48