_ISADMIN with domain account

nikbackm

nikbackm

May 30, 2008
238
2
Is the _ISADMIN variable supposed to work with domain accounts?

My work (domain) account has admin rights on my local workstation but not (obviously) on the domain.

With the domain account _ISADMIN always has the value 0, even if I can do local administrative tasks like the change the time, open device manager, install programs etc.

With a local (workstation) admin account I have created _ISADMIN has the value 1 as expected.

More info:

My work PC is using Windows XP SP3 so it's not a Vista UAC issue. The local Administrators group
also contains my domain account.
 
nikbackm

nikbackm

May 30, 2008
238
2
rconn said:
nikbackm wrote:



Only with your local group.

Rex Conn
JP Software
Click to expand...

The domain account IS a member of the Administrators group on the local machine where I test _ISADMIN.

So it should not be too hard to get this case working as well. As it is now the _ISADMIN variable essentially lies if I test it in batch files since the account do have administrative privileges.
 
S

Steve Fabian

May 20, 2008
3,515
4
Elkridge, MD, USA
nikbackm wrote:
| ---Quote (Originally by rconn)---
| nikbackm wrote:
|
|
|
| Only with your local group.
|
| Rex Conn
| JP Software
| ---End Quote---
| The domain account IS a member of the Administrators group on the
| local machine where I test _ISADMIN.
|
| So it should not be too hard to get this case working as well. As it
| is now the _ISADMIN variable essentially lies if I test it in batch
| files since the account do have administrative privileges.

Roger Byrne posted his RB_utils.dll several years ago at
ftp://jpsoft.com/plugins, which has an independently implemented _ISADMIN
internal variable. If you already load the rb_utils.dll plugin, it overrides
the internal (Rex Conn) version, try unloading the plugin and see what
happens without it. OTOH, if you don't load it, try downloading and using
its version. Gives you another shot at getting the result you want.
--
HTH, Steve
 
D

dim

Dimitry Andric
May 31, 2008
205
1
Netherlands
On 2009-04-26 12:20, nikbackm wrote:

> The domain account IS a member of the Administrators group on the local machine where I test _ISADMIN.
Click to expand...

Another way to test this for user %USERNAME% would be:

%@group[%_WINNAME,Administrators,%USERNAME%]

But unfortunately the "administrators" group name is language-dependent...
 
rconn

rconn

Administrator
Staff member
May 14, 2008
12,557
167
nikbackm wrote:

> The domain account IS a member of the Administrators group on the local machine where I test _ISADMIN.
>
> So it should not be too hard to get this case working as well. As it is now the _ISADMIN variable essentially lies if I test it in batch files since the account do have administrative privileges.
Click to expand...

Microsoft has neglected to document a means of doing this. If you know
of a suitable (undocumented) API, I'll be happy to add it.

Rex Conn
JP Software
 
nikbackm

nikbackm

May 30, 2008
238
2
dim said:
On 2009-04-26 12:20, nikbackm wrote:


Another way to test this for user %USERNAME% would be:

%@group[%_WINNAME,Administrators,%USERNAME%]

But unfortunately the "administrators" group name is language-dependent...
Click to expand...

This works very well. Thank you!

Yes, you have to use the language-dependent group name here, but if you do the same thing by "coding" it's easy to get a reference to the Administrators group by using a language-independent identifier. There's a Win32 symbolic constant defined for it.

rconn said:
nikbackm wrote:

Microsoft has neglected to document a means of doing this. If you know
of a suitable (undocumented) API, I'll be happy to add it.
Click to expand...

Why not simply test if the user is a member of the Administrators group like above? Seems to mostly done already.

Or maybe that would not work on Vista with UAC activated?
 
rconn

rconn

Administrator
Staff member
May 14, 2008
12,557
167
dim wrote:

> On 2009-04-26 15:57, rconn wrote:
>
> ---Quote---
>> Microsoft has neglected to document a means of doing this. If you know
>> of a suitable (undocumented) API, I'll be happy to add it.
> ---End Quote---
> Please see the description of CheckTokenMembership() in MSDN:
>
> http://msdn.microsoft.com/en-us/library/aa376389.aspx
Click to expand...

That's exactly what I'm already doing.

Rex Conn
JP Software
 
D

drwtsn32

May 26, 2008
550
6
Rex, which SID are you checking for when you call CheckTokenMembership? I have code written in Delphi that works properly with this function. It correctly identifies my domain account as having local admin privileges. My domain account is a member of a domain group which in turn is a member of the local Administrators group.

The SID I check for is DOMAIN_ALIAS_RID_ADMINS (0x00000220).
 
samintz

samintz

Scott Mintz
May 20, 2008
1,557
26
Solon, OH, USA
If you are logged on locally vs. a domain account, does that still work?

-Scott

Rod Savard <> wrote on 04/28/2009 12:37:35 PM:


> Rex, which SID are you checking for when you call
> CheckTokenMembership? I have code written in Delphi that works
> properly with this function. It correctly identifies my domain
> account as having local admin privileges. My domain account is a
> member of a domain group which in turn is a member of the local
> Administrators group.
>
> The SID I check for is DOMAIN_ALIAS_RID_ADMINS (0x00000220).
>
>
>
>
Click to expand...
 
D

drwtsn32

May 26, 2008
550
6
dim said:
Another way to test this for user %USERNAME% would be:

%@group[%_WINNAME,Administrators,%USERNAME%]

But unfortunately the "administrators" group name is language-dependent...
Click to expand...

This is definitely the wrong approach. As you pointed out, it requires that the "Administrators" group be called exactly that. Second, it doesn't check for nested group memberships.

The CheckTokenMembership API is the right way to do this.
 
rconn

rconn

Administrator
Staff member
May 14, 2008
12,557
167
Rod Savard wrote:

> Rex, which SID are you checking for when you call CheckTokenMembership? I have code written in Delphi that works properly with this function. It correctly identifies my domain account as having local admin privileges. My domain account is a member of a domain group which in turn is a member of the local Administrators group.
>
> The SID I check for is DOMAIN_ALIAS_RID_ADMINS (0x00000220).
Click to expand...

That's the same one I'm checking.

Rex Conn
JP Software
 
D

drwtsn32

May 26, 2008
550
6
Strange....something must be different. The _ISADMIN function returns zero while my Delphi code returns "true".
 
You must log in or register to reply here.

Similar threads

kb6ojs
How to? "Specified Account Already Exists" error installing TCMD v27
Replies
12
Views
797
Support
kb6ojs
kb6ojs
Jay Sage
How to? SENDMAIL with G-Suite Mail Account
Replies
6
Views
1K
Support
vefatica
vefatica
cgunhouse
Standard User Account Issue
Replies
2
Views
595
Support
cgunhouse
cgunhouse
R
"The Specified Account Already Exists" - Can't Reinstall To Fix Protection Screw-Up of Last Week
Replies
8
Views
3K
Support
vefatica
vefatica
Top Bottom