PowerShell Oneliner to Check for Elevated Admin Rights (not Administrator Group Membership) Or System Account Print E-mail
PowerShell
Written by Darwin Sanoy   
Friday, August 16, 2013 6:45pm

There are 1000 scripts out there to tell you if a user is *in the local administrators group*.  However, what you usually want to know is "is the current process running as an elevated administrator".  The difference between these is not small.  I can be in the local administrators group, but be running under UAC and my process does not have full administrator rights.  Or I can be in a group that is in a group that is in the local administrators group and elevated - but a script looking directly for my name won't find my user id directly in the administrators group.  Or my script can be running under the System account which has local administrators rights, but is not in the local administrators group.

The following bit of PowerShell code looks for a specific SID on the user token to determine if the current process is running as elevated administrator permissions.  This approach does not attempt to determine how the process has local administrator rights - but just test whether they are present.  You may have seen similiar code using whoami /all.  However, there is an important difference between "whoami /all" and the below code.  When using "([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups", the SID for local admin permissions is only output if it is ENABLED.  "whoami /all" displays the SID, but notes it is disabled.

If ([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {
  write-host "You are an administrator"
  }

managingtheenterprisewindowsdesktopwithpowershelltitlegraphic320 For more explanation and updated Ready-To-Run code for this topic, check out our video course "PSH-205 Managing the Enterprise Windows Desktop with PowerShell"
[ Free for a limited time ]

If you would like the test to be available to the entire script you can do this:

$IsAdmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")

The following is a  way to determine if you are running under the system account (handy for when your code is running under a management system like SCCM 2007 or Altiris).  However, if all you want to know is whether your process is running as an elevated administrator, the above code works for system account processes as well:

If (([System.Security.Principal.WindowsIdentity]::GetCurrent()).IsSystem) {
  write-host "Running under the system account"
  add-content -path "$env:SystemDrive\users\public\syscheck.txt" -force -value "systemaccount"
  }

You can test the above code in a live system and the creation of the file will tell you whether the powershell code is running under and detecting system account context.

Another easy way is to test with psexec like this:

psexec -s powershell -command "if (([System.Security.Principal.WindowsIdentity]::GetCurrent()).IsSystem) {add-content -path "$env:Systemdrive\users\public\syscheck.txt" -value "yep"}