Downloads
49702.zip

How can I use a script to determine whether a current user is an administrator?

This excellent question often comes up in newsgroups and other forums. To be an administrator in Windows, you must have an account that's a member of the computer's local Administrators group. That's why the Domain Admins group is so powerful; it's a default member of the Administrators group on every machine in the domain.

One simple way to determine whether a user is an administrator is to list the members of the local Administrators group and check for the logged-on user's name. For example, the Net Localgroup Administrators command will list the members of the group. However, this approach fails if the current user is an indirect member of the group. For example, the Net Localgroup Administrators command will list Domain Admins as a member of Administrators, but it doesn't list the members of Domain Admins.

Another approach is to use the Ifmember.exe utility from the Microsoft Windows Server 2003 Resource Kit. If you specify one or more group names on the command line, the utility will return an exit code corresponding to the number of groups that match. For example, the command

ifmember Administrators

will return an exit code of 1 if the current user is a member of Administrators and 0 if not. Because you must specify the group name on the command line, Ifmember.exe works correctly only if the group name is the English word "Administrators" (assuming an English version of Windows). If you're using a non-English version of Windows or if the Administrators group has been renamed, the command won't work as expected.

These two approaches show the basic problems inherent in determining whether a user is an administrator: group nesting (being a member of a group that's a member of Administrators) and string matching (when the group name isn't what the script expects). Because of these problems, I prefer a more robust solution.

Windows NT 4.0 and later includes in the shell32.dll file (a standard OS component) an API function called IsUserAnAdmin, which returns a non-zero value if the current user is a member of Administrators. This function was undocumented until November 2002, when Microsoft documented it to comply with the US government's antitrust ruling. (You can find a list of APIs that Microsoft documented as a result of the case at http://msdn.microsoft.com/library/def ault.asp?url=/library/en-us/dnapiover/html/api-overview.asp.)

However, the main problem with this technique is that you can't call Windows API functions directly from scripts. To get around this limitation, I wrote a Visual Basic (VB) ActiveX DLL, IsAdmin.dll, which functions as a wrapper for the Windows API call and lets COM-compatible languages, such as WSH scripts, call the IsUser-AnAdmin function. I provide the VB 6.0 source code with the DLL so that you can see how it works. IsAdmin.dll requires NT 4.0 or later. I verified that the DLL works on Windows Server 2003, Windows XP, Windows 2000, and NT 4.0 Service Pack 6a (SP6a). Before using IsAdmin.dll, you must register it with the Regsvr32 command by using the following syntax:

regsvr32 \[/s\]
  \[path\\]IsAdmin.dll

where path is the path to the DLL on your system. (The path is optional if IsAdmin.dll is in the current directory.) The /s option performs the registration process silently. To unregister the component, specify the /u option immediately after the Regsvr32 command (i.e., regsvr32 /u). You must be a member of Administrators to register or unregister the component.

After you've registered IsAdmin.dll, you can use it in your scripts. The component contains just one object, IsAdmin.Check. The IsAdmin.Check object has one method, IsAdmin, which returns True if the current user is an administrator or False otherwise. Listing 1 shows an example of using the IsAdmin.Check object in VBScript, and Listing 2 shows a JScript version.

With IsAdmin.dll in your scripting toolkit, your scripts can easily determine whether a current user is an administrator.