PowerShell Oneliner to Check for Elevated Admin Rights (not Administrator Group Membership) Or System Account |
![]() |
![]() |
PowerShell | |
Written by Darwin Sanoy | |
Friday, August 16, 2013 6:45pm | |
There are 1000 scripts out there to tell you if a user is *in the local administrators group*. However, what you usually want to know is "is the current process running as an elevated administrator". The difference between these is not small. I can be in the local administrators group, but be running under UAC and my process does not have full administrator rights. Or I can be in a group that is in a group that is in the local administrators group and elevated - but a script looking directly for my name won't find my user id directly in the administrators group. Or my script can be running under the System account which has local administrators rights, but is not in the local administrators group. The following bit of PowerShell code looks for a specific SID on the user token to determine if the current process is running as elevated administrator permissions. This approach does not attempt to determine how the process has local administrator rights - but just test whether they are present. You may have seen similiar code using whoami /all. However, there is an important difference between "whoami /all" and the below code. When using "([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups", the SID for local admin permissions is only output if it is ENABLED. "whoami /all" displays the SID, but notes it is disabled.
If you would like the test to be available to the entire script you can do this:
The following is a way to determine if you are running under the system account (handy for when your code is running under a management system like SCCM 2007 or Altiris). However, if all you want to know is whether your process is running as an elevated administrator, the above code works for system account processes as well:
You can test the above code in a live system and the creation of the file will tell you whether the powershell code is running under and detecting system account context. Another easy way is to test with psexec like this: psexec -s powershell -command "if (([System.Security.Principal.WindowsIdentity]::GetCurrent()).IsSystem) {add-content -path "$env:Systemdrive\users\public\syscheck.txt" -value "yep"} |