Sign in with
Sign up | Sign in
Your question

How to determine in batch-file, if user is administrator

Last response: in Windows 2000/NT
Share
Anonymous
5 August 2005 04:18:39

Archived from groups: alt.msdos.batch.nt,microsoft.public.win2000.cmdprompt.admin,microsoft.public.windowsnt.misc (More info?)

Hi NG!

Is there any possibility to determine in a batch-file, if the logged-on
user is member of Administrators-Group?
This should even work, if the user is member of a domain...

Of course I can try, to create a file unter %SYSTEMROOT% or something
else, and then check, if it was created...

but perhaps there is a better practice?

Any suggestion is greatly appreciated,

Best regard,
/Heiko Pliefke
Anonymous
5 August 2005 04:18:40

Archived from groups: alt.msdos.batch.nt,microsoft.public.win2000.cmdprompt.admin,microsoft.public.windowsnt.misc (More info?)

On Thu, 04 Aug 2005 16:18:39 +0200, Heiko Pliefke <sledge_hammer@freenet.de> wrote:

>Hi NG!
>
>Is there any possibility to determine in a batch-file, if the logged-on
>user is member of Administrators-Group?
>This should even work, if the user is member of a domain...
>
>Of course I can try, to create a file unter %SYSTEMROOT% or something
>else, and then check, if it was created...
>
>but perhaps there is a better practice?
>
>Any suggestion is greatly appreciated,
>
>Best regard,
>/Heiko Pliefke

in the batch, add the following lines to determine if the logged on user is a local administrator:

set admin=N
set domain=%USERDOMAIN%\
If /i "%domain%" EQU "%computername%\" set domain=
set user=%domain%%username%
for /f "Tokens=*" %%a in ('net localgroup administrators^|find /i "%user%"') do set admin=Y


Then just test the value of %admin%

If "%admin% EQU "Y" goto isAdmin
Anonymous
5 August 2005 04:18:40

Archived from groups: alt.msdos.batch.nt,microsoft.public.win2000.cmdprompt.admin,microsoft.public.windowsnt.misc (More info?)

Try IFMEMBER.EXE from the Windows Server 2003 Resource Kit Tools:
http://www.microsoft.com/downloads/details.aspx?FamilyI...



"Heiko Pliefke" <sledge_hammer@freenet.de> wrote in message
news:1123165119.614281@nbgm66x...
> Hi NG!
>
> Is there any possibility to determine in a batch-file, if the logged-on
> user is member of Administrators-Group?
> This should even work, if the user is member of a domain...
>
> Of course I can try, to create a file unter %SYSTEMROOT% or something
> else, and then check, if it was created...
>
> but perhaps there is a better practice?
>
> Any suggestion is greatly appreciated,
>
> Best regard,
> /Heiko Pliefke
Related resources
Anonymous
5 August 2005 04:18:41

Archived from groups: microsoft.public.win2000.cmdprompt.admin,microsoft.public.windowsnt.misc (More info?)

Jerold Schulman wrote:

> in the batch, add the following lines to determine if the logged on
> user is a local administrator:
>
> set admin=N
> set domain=%USERDOMAIN%\
> If /i "%domain%" EQU "%computername%\" set domain=
> set user=%domain%%username%
> for /f "Tokens=*" %%a in ('net localgroup administrators^|find /i "%user%"') do set admin=Y
>
> Then just test the value of %admin%
>
> If "%admin% EQU "Y" goto isAdmin

It would seem that this method would fail if the user is a member of a
group that's a member of Administrators.

Ifmember.exe doesn't have this problem, but it's not language-independent.

To address these issues, I wrote isadmin.exe:

http://www.cybermesa.com/~bstewart/wast.html

Internally, isadmin.exe enumerates the SIDs for the current user and
returns an exit code of 1 if the current user is a member of
Administrators (e.g., SID S-1-5-32-544).

--
Bill Stewart
29 March 2011 05:49:42

I know this is an old post but I wanted to share some info. I use Ifmember.exe in my logon scripts to find out if a user is a memeber of a group and that works great but I couldnt figure out how to use it to verify if a "certain", not the currently logged in user, group was already added to the Local Administrators group. So I was able to use Jerold's post earlier to use it for that function.

First I will show you how I use Ifmember.exe

set GROUP1=(Any AD group)
set USERDOMAIN=(Your AD Domain)
if "%GROUP1%"=="" goto complete
"ifmember.exe" "%USERDOMAIN%\%GROUP1%"
if not errorlevel 1 goto complete

net use k: /delete /y
net use k: \\Server\DataPath /Persistent:Yes

:complete

***This is how I used the FOR funtion***

for /f "Tokens=*" %%a in ('net localgroup administrators^|find /i "(your domain here)\Domain Admins"') do goto domainadmin
net localgroup Administrators /add "(your domain here)\Domain Admins"
echo Added Domain Admins to the Local Administrators group
: domainadmin
for /f "Tokens=*" %%a in ('net localgroup administrators^|find /i "(your domain here)\(Any AD Group or User"') do goto admins
net localgroup Administrators /add "(your domain here)\(Any AD Group or User)"
echo Added "Your User" to the Local Administrators group
:admins

Good luck.
22 November 2011 20:38:16

Here's a one-liner that doesn't require additional tools:
  1. >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"&&(
  2. echo admin...
  3. )
source: http://stackoverflow.com/q/4054937


Here is how I use it, in a routine that elevates a batch script itself:
  1. :: Ensure ADMIN Privileges
  2. :: adaptation of <a href="https://sites.google.com/site/eneerge/home/BatchGotAdmin" rel="nofollow" target="_blank">https://sites.google.com/site/eneerge/home/BatchGotAdmi...</a> and <a href="http://stackoverflow.com/q/4054937" rel="nofollow" target="_blank">http://stackoverflow.com/q/4054937</a>
  3. @echo off
  4. :: Check for ADMIN Privileges
  5. >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
  6. if '%errorlevel%' NEQ '0' (
  7. REM Get ADMIN Privileges
  8. echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
  9. echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
  10. "%temp%\getadmin.vbs"
  11. del "%temp%\getadmin.vbs"
  12. exit /B
  13. ) else (
  14. REM Got ADMIN Privileges
  15. pushd "%cd%"
  16. cd /d "%~dp0"
  17. @echo on
  18. )