1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

_ISADMIN with domain account

Discussion in 'Support' started by nikbackm, Apr 22, 2009.

  1. nikbackm

    Joined:
    May 30, 2008
    Messages:
    194
    Likes Received:
    1
    Is the _ISADMIN variable supposed to work with domain accounts?

    My work (domain) account has admin rights on my local workstation but not (obviously) on the domain.

    With the domain account _ISADMIN always has the value 0, even if I can do local administrative tasks like the change the time, open device manager, install programs etc.

    With a local (workstation) admin account I have created _ISADMIN has the value 1 as expected.

    More info:

    My work PC is using Windows XP SP3 so it's not a Vista UAC issue. The local Administrators group
    also contains my domain account.
     
  2. rconn

    rconn Administrator
    Staff Member

    Joined:
    May 14, 2008
    Messages:
    9,722
    Likes Received:
    80
    nikbackm wrote:

    Only with your local group.

    Rex Conn
    JP Software
     
  3. nikbackm

    Joined:
    May 30, 2008
    Messages:
    194
    Likes Received:
    1
    The domain account IS a member of the Administrators group on the local machine where I test _ISADMIN.

    So it should not be too hard to get this case working as well. As it is now the _ISADMIN variable essentially lies if I test it in batch files since the account do have administrative privileges.
     
  4. Steve Fabian

    Joined:
    May 20, 2008
    Messages:
    3,523
    Likes Received:
    4
    nikbackm wrote:
    | ---Quote (Originally by rconn)---
    | nikbackm wrote:
    |
    |
    |
    | Only with your local group.
    |
    | Rex Conn
    | JP Software
    | ---End Quote---
    | The domain account IS a member of the Administrators group on the
    | local machine where I test _ISADMIN.
    |
    | So it should not be too hard to get this case working as well. As it
    | is now the _ISADMIN variable essentially lies if I test it in batch
    | files since the account do have administrative privileges.

    Roger Byrne posted his RB_utils.dll several years ago at
    ftp://jpsoft.com/plugins, which has an independently implemented _ISADMIN
    internal variable. If you already load the rb_utils.dll plugin, it overrides
    the internal (Rex Conn) version, try unloading the plugin and see what
    happens without it. OTOH, if you don't load it, try downloading and using
    its version. Gives you another shot at getting the result you want.
    --
    HTH, Steve
     
  5. dim

    dim Dimitry Andric

    Joined:
    May 31, 2008
    Messages:
    202
    Likes Received:
    0
    On 2009-04-26 12:20, nikbackm wrote:

    Another way to test this for user %USERNAME% would be:

    %@group[%_WINNAME,Administrators,%USERNAME%]

    But unfortunately the "administrators" group name is language-dependent...
     
  6. rconn

    rconn Administrator
    Staff Member

    Joined:
    May 14, 2008
    Messages:
    9,722
    Likes Received:
    80
    nikbackm wrote:

    Microsoft has neglected to document a means of doing this. If you know
    of a suitable (undocumented) API, I'll be happy to add it.

    Rex Conn
    JP Software
     
  7. nikbackm

    Joined:
    May 30, 2008
    Messages:
    194
    Likes Received:
    1
    This works very well. Thank you!

    Yes, you have to use the language-dependent group name here, but if you do the same thing by "coding" it's easy to get a reference to the Administrators group by using a language-independent identifier. There's a Win32 symbolic constant defined for it.

    Why not simply test if the user is a member of the Administrators group like above? Seems to mostly done already.

    Or maybe that would not work on Vista with UAC activated?
     
  8. dim

    dim Dimitry Andric

    Joined:
    May 31, 2008
    Messages:
    202
    Likes Received:
    0
    On 2009-04-26 15:57, rconn wrote:

    Please see the description of CheckTokenMembership() in MSDN:

    http://msdn.microsoft.com/en-us/library/aa376389.aspx
     
  9. rconn

    rconn Administrator
    Staff Member

    Joined:
    May 14, 2008
    Messages:
    9,722
    Likes Received:
    80
    dim wrote:

    That's exactly what I'm already doing.

    Rex Conn
    JP Software
     
  10. Rod Savard

    Joined:
    May 26, 2008
    Messages:
    480
    Likes Received:
    3
    Rex, which SID are you checking for when you call CheckTokenMembership? I have code written in Delphi that works properly with this function. It correctly identifies my domain account as having local admin privileges. My domain account is a member of a domain group which in turn is a member of the local Administrators group.

    The SID I check for is DOMAIN_ALIAS_RID_ADMINS (0x00000220).
     
  11. samintz

    samintz Scott Mintz

    Joined:
    May 20, 2008
    Messages:
    1,177
    Likes Received:
    11
    If you are logged on locally vs. a domain account, does that still work?

    -Scott

    Rod Savard <> wrote on 04/28/2009 12:37:35 PM:


     
  12. Rod Savard

    Joined:
    May 26, 2008
    Messages:
    480
    Likes Received:
    3
    Yes, it does.
     
  13. Rod Savard

    Joined:
    May 26, 2008
    Messages:
    480
    Likes Received:
    3
    This is definitely the wrong approach. As you pointed out, it requires that the "Administrators" group be called exactly that. Second, it doesn't check for nested group memberships.

    The CheckTokenMembership API is the right way to do this.
     
  14. rconn

    rconn Administrator
    Staff Member

    Joined:
    May 14, 2008
    Messages:
    9,722
    Likes Received:
    80
    Rod Savard wrote:

    That's the same one I'm checking.

    Rex Conn
    JP Software
     
  15. Rod Savard

    Joined:
    May 26, 2008
    Messages:
    480
    Likes Received:
    3
    Strange....something must be different. The _ISADMIN function returns zero while my Delphi code returns "true".
     
  16. Steve Fabian

    Joined:
    May 20, 2008
    Messages:
    3,523
    Likes Received:
    4
    Rod Savard wrote:
    | Strange....something must be different. The _ISADMIN function
    | returns zero while my Delphi code returns "true".

    Possibly different run-time permissions?
    --
    Steve
     
  17. Rod Savard

    Joined:
    May 26, 2008
    Messages:
    480
    Likes Received:
    3
    I'm not doing anything special in my code. Both my exe and the tcc.exe are run under the same user context.
     

Share This Page