VBScript: Check if the script has administrative permissions

Question

I would like to check (by VBScript) whether the context in which the script runs allows me to perform administrative tasks.

Requirements:

• The solution should work on all Windows operating systems starting with Server 2003. (This rules out solutions which just check for membership in the Administrators group -- remember that there's UAC in Vista and Windows 7!)
• The solution should be simple. A 50 LOC solution that checks the Windows group memberships (recursively, of course, since the user might be member of a groups which is member of a group ... which is member of the Administrators group) and then does some extra checks for Vista UAC is not simple.
• The solution may be a bit dirty, so something along the lines of this solution would be ok.
• It should not be too dirty. Writing a file to C:\Windows or writing a registry key is too dirty in my opinion, since it modifies the system. (EDIT: Which might not work anyway: for example, when using VBScript in a HTA, UAC redirection kicks in.)

Related question: http://stackoverflow.com/questions/301860 (all of the answers I found there (a) ignore the UAC issue and (b) are faulty because they ignore the possibility of a user having administrative permissions although not being direct member in the Administrators group)

Answer 1

Possibly combine this (WhoAmI from VBscript) with this (UAC Turned On).

Here is the code, the unfortunate pre-req for XP is "whoami.exe", found in a resource kit or support tools for XP (Wikipedia) - I'd still like to find a way to do without it.

If UserPerms("Admin") Then
 Message = "Good to go"
Else
 Message = "Non-Admin"
End If

If UACTurnedOn = true Then
 Message = Message & ", UAC Turned On"
Else
 Message = Message & ", UAC Turned Off (Or OS < Vista)"
End If

Wscript.echo Message

Function UserPerms (PermissionQuery)          
 UserPerms = False  ' False unless proven otherwise           
 Dim CheckFor, CmdToRun         

 Select Case Ucase(PermissionQuery)           
 'Setup aliases here           
 Case "ELEVATED"           
   CheckFor =  "S-1-16-12288"           
 Case "ADMIN"           
   CheckFor =  "S-1-5-32-544"           
 Case "ADMINISTRATOR"           
   CheckFor =  "S-1-5-32-544"           
 Case Else                  
   CheckFor = PermissionQuery                  
 End Select           

 CmdToRun = "%comspec% /c whoami /all | findstr /I /C:""" & CheckFor & """"  

 Dim oShell, returnValue        
 Set oShell = CreateObject("WScript.Shell")  
 returnValue = oShell.Run(CmdToRun, 0, true)     
 If returnValue = 0 Then UserPerms = True                   
End Function

Function UACTurnedOn ()
 On Error Resume Next

 Set oShell = CreateObject("WScript.Shell")
 If oShell.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA") = 0 Then
      UACTurnedOn = false
 Else
      UACTurnedOn = true
 End If
End Function

Answer 2

The code above that requires "whoami" is from our IfUserPerms script at CSI-Windows.com/toolkit/ifuserperms.

After reading your post here, I have created new script code that checks for admin rights with fast, small, efficient, passive (no changing anything) code in both VBS (9 Lines) and CMD/BAT (3 lines). It also works with UAC by reporting false if the user is not elevated.

You can find the code here: http://csi-windows.com/toolkit/csi-isadmin

Answer 3

I have added two additional script kits that dramatically enhance the original code above that came from ifuserperms.vbs.

CSI_IsSession.vbs can tell you almost anything you want to know about UAC or the current session the script is running under.

VBScriptUACKit.vbs (which uses CSI_IsSession.vbs) allows you to selectively prompt for UAC in a script by relaunching itself. Has been designed and debugged to work under many execution scenarios.