-1

I have Windows Service C# with credentials for user UserInstallerMoss.

Windows Service execute an EXE Console Aplicaction C# with credentials UserInstallerMoss.

EXE Console Aplicaction executes powershell.exe with credentials UserInstallerMoss.

Server is Windows Server 2012 Enterprise. UAC is disabled.

UserinstallerMOss is local administrator

Powershell functions returns $true value:

$ok = IsCurrentUserAdmin
$ok = IsCurrentUserAdmin2

but the script fails about "access denied"

nativehr: 0x80070005 OWSSVR.DLL - Access denied

How can I get if a current script Powershell is executed as Run as Administrator?

How can I get if a current user in script Powershell is Administrator?

My functions returns true, but maybe it was wrong?

Powershell functions:

Function IsCurrentUserAdmin
{
    $ident = [Security.Principal.WindowsIdentity]::GetCurrent() 

    foreach ( $groupIdent in $ident.Groups ) 
    { 
        if ( $groupIdent.IsValidTargetType([Security.Principal.SecurityIdentifier]) ) 
        { 
            $groupSid = $groupIdent.Translate([Security.Principal.SecurityIdentifier]) 
            if ( $groupSid.IsWellKnown("AccountAdministratorSid") -or $groupSid.IsWellKnown("BuiltinAdministratorsSid"))
            { 
                return $TRUE 
            } 
        } 
    } 
    return $FALSE 
} 

Function IsCurrentUserAdmin2
{
    $user = [Security.Principal.WindowsIdentity]::GetCurrent();
    (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)  
}
Kiquenet
  • 14,494
  • 35
  • 148
  • 243

1 Answers1

0

If you want to test if script is running elevated:

function Test-RunningElevated{
    # returns True if running elevated, otherwise returns False
    $windowsIdentity=[System.Security.Principal.WindowsIdentity]::GetCurrent()
    $windowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($windowsIdentity)
    $adm=[System.Security.Principal.WindowsBuiltInRole]::Administrator
    Write-Output ($windowsPrincipal.IsInRole($adm))
}

IF you want to test if user running script is member of local administrators group:

function Test-LocalAdministrator{
    $currentUser = $env:USERNAME
    $currentComputer = $env:COMPUTERNAME
    $adminGroup = [ADSI]"WinNT://$currentComputer/Administrators"
    $adminGroup.Members() | ForEach-Object{
        $member = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
        if($member -eq $currentUser){
            Write-Output $true
            break
        }
    }
    Write-Output $false
}

Use them like this:

if(Test-RunningElevated){
    # code to run goes here
}
else{
    Write-Warning 'This script needs to be run elevated!'
}

Note that the Test-LocalAdministrator only checks direct memberships.

ojk
  • 2,502
  • 15
  • 17