Test for Administrative Privileges

about admin privileges
Link to the discussion on oreilly.com

Lee Holmes is absolutely right.

I usually do:

Function Test-Foo {            
[CmdletBinding()]            
Param()            
Begin {            
 # Make sure we run as admin                                    
    $usercontext = [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()                                    
    $IsAdmin = $usercontext.IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")                                                       
    if (-not($IsAdmin))                                    
    {                                    
        Write-Warning "Must run powerShell as Administrator to perform these actions"                                    
        break                        
    }              
}            
Process  {            
    'Process block goes here'            
}             
End {}            
}                          

That works fine on EN-US computers but not on French, German,…ones.

He gave us the solution.

So I quickly did the following to enumerate of the integer and their corresponding string

            
[System.Enum]::GetValues([System.Security.Principal.WindowsBuiltInRole]) | ForEach-Object -Process {            
    '{0} -> {1}' -f ([System.Security.Principal.WindowsBuiltInRole]::$_.Value__),$_            
}            
            

enum rid

To use the ‘bool IsInRole(int rid)’ method and as we know that 544 means Administrator, I do:

Function Test-Bar {            
[CmdletBinding()]            
Param()            
Begin {            
 # Make sure we run as admin                                    
    $usercontext = [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()                                    
    $IsAdmin = $usercontext.IsInRole(544)                                                       
    if (-not($IsAdmin))                                    
    {                                    
        Write-Warning "Must run powerShell as Administrator to perform these actions"                                    
        break                        
    }              
}            
Process  {            
    'Process block goes here'            
}             
End {}            
}                          

The 2nd approach by using well-known SID will also work as the BUILTIN\Administrators group has the following SID: S-1-5-32-544:

$usercontext = [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()                                    
$IsAdmin = $usercontext.IsInRole([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544')                                                       
$IsAdmin

NB: Well-known security identifiers can be found on that page: http://support.microsoft.com/kb/243330

Advertisements

2 thoughts on “Test for Administrative Privileges

  1. Actually, the Test-Foo function works in German. But you are right, as soon as we are dealing with group and user names in a multilingual environment it gets really tricky. Your way of enumerating the different account types is great, just saved that as a snippet 🙂

  2. Hallo,
    Danke and du bist auch recht. Administrator is gültig auf deutsch und französich in Windows 7.
    Man muss aber nicht vergessen dass Windows 7 ist ‘language neutral’ and dass du kannst Powershell auf ältere betriebsysteme wie Windows XP haben. So, auf ein französiche Windows XP, die Administratoren Gruppe heisst ‘Adminisrtrateurs’.
    Es gibt eine gute Erklärung auf diese Seite: http://msdn.microsoft.com/en-us/goglobal/ee461121.aspx
    (Erst Bild ‘Localization models in Windows XP vs. Windows Vista and Windows 7’, letzte Tabelle ‘Windows 7 editions multilingual support summary’ and ein Bild in der Mitte dass zeigt das ‘Administateur’ heisst ‘Administrator in eine französiche compmgmt.msc snap-in in Windows 7)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s