For my Active Directory documentation script, if the user requests hardware inventory for the domain controllers, the user must run the script with domain administrator credentials. How do you determine if a script is being run with Domain Admin rights?
The following information is taken from:
Check for Admin Credentials in a PowerShell Script (Scripting Guys blog)
WindowsPrincipal.IsInRole Method (WindowsBuiltInRole) (MSDN)
WindowsPrincipal Class (MSDN)
WindowsPrincipal.IsInRole Method (MSDN)
WindowsBuiltInRole Enumeration (MSDN)
For testing if the user is in the LOCAL Administrators group:
1 2 3 4 5 6 7 8 | If(([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrators")){ #user is a member of local administrators}Else{ #user is not a member of local administrators} |
For testing if the user is in the Domain Admins group:
1 2 3 4 5 6 7 8 | If(([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("Domain Admins")){ #user is a member of domain admins}Else{ #user is not a member of domain admins} |
Hope this helps.
Webster
Awesome, and timely! Thanks Webster.
Hi Carl,
Thanks for sharing this validations, it’s good to know you can check for local and domain administrative priviliges.
I used the code from Matt Painter to run a PowerShell script with elevated priviliges when it isn’t initially started with it. This might help when running an inventory 🙂
http://gallery.technet.microsoft.com/scriptcenter/63fd1c0d-da57-4fb4-9645-ea52fc4f1dfb
Cheers,
Ingmar