Best way to know if a user has administrative privileges from a VBScript

Question

As the title says I need to check whether the user executing the script has administrative privilages on the machine or not.

I have specified the user executing the script because the script could have been executed with a user other than the logged on using something similar to "Runas".

Regards,

Javier

@Javier: Both solutions work in a PC with an English version of Windows installed but not if the installed is in different language. This is because the Administrators group doesn't exist, the name is different for instance in Spanish. I need the solution to work in all configurations.

Answer 1

You can use script if you want to see if the logged on user is an administrator

Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
strUser = objNetwork.UserName

isAdministrator = false

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser in objGroup.Members
    If objUser.Name = strUser Then
        isAdministrator = true        
    End If
Next

If isAdministrator Then
    Wscript.Echo strUser & " is a local administrator."
Else
    Wscript.Echo strUser & " is not a local administrator."
End If

I am not sure how to handle it when the script is run with "Runas" I am afraid.

Answer 2

This article has a nice chunk of code on how to enumerate the members of a group (copied here for convenience and edited to not use email address):

Function RetrieveUsers(domainName,grpName)

dim GrpObj
dim mbrlist
dim mbr

'-------------------------------------------------------------------------------
' *** Enumerate Group Members ***
'-------------------------------------------------------------------------------

' Build the ADSI query and retrieve the group object
Set GrpObj = GetObject("WinNT://" & domainName & "/" & grpName & ",group")

' Loop through the group membership and build a string containing the names
for each mbr in GrpObj.Members
   mbrlist = mbrlist & vbTab & mbr.name & vbCrLf
Next

RetrieveUsers=mbrlist

End Function

You can then write a function to see if a user is in the list...

Function IsAdmin(user)
    IsAdmin = InStr(RetrieveUsers("MachineName", "Administrators"), user) > 0
End Function

...and call it like this:

If IsAdmin("LocalAccount") Then
    Wscript.Echo "LocalAccount is an admin"
Else
    Wscript.Echo "LocalAccount is not an admin"
End If

Answer 3

By doing this you break scenarios where the user has the required privs for your script but does not belong to Administrators. Instead of checking for group membership, check for the specific abilities you require.