Check if currently logged on user is has administrator rights

Question

imagine there is a Powershell script running under the SYSTEM account on a Windows 10 machine and checks which domain user is currently logged on. No big deal.

Now: I want to check if this logged on user has administrator rights on this machine. Every check I could find so far is only looking at ".IsInRole([Security.Principal.WindowsBuiltInRole]::'Administrator')". But this only checks if the user is a direct member of the local group "Administrators". But it is possible that within the local Administrators group there is a domain group, and the user is a member of this domain group instead. So he is admin, even if he is not a direct member of the Administrators group.

How can I check for both at the same time? I just want to check IF someone is admin, no matter where those admin rights come from. This check will also run under the SYSTEM account, not with the affected user account itself.

Any ideas?

Answer 1

If the Domain group is part of the local admins group, then by design, all users in that domain group are local admins and has all the rights and privileges that means. So, that code block would still apply.

You have to explicitly check for user rights and privileges assigned. There is no cmdlet for this built-in, so you have to code for it. To see your rights and privs, you can just use the good old whoami.exe...

whoami /priv

# Results
<#
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled
#>

... then compare that to the Windows Privilege list that are normally used for Administration actions.

Running this remotely as the logged-on user, cannot be done with PowerShell natively, it's a Windows Security boundary and thus, you'll need something like PSExec.exe from MS SysInternals to try that.