(imported topic written by cstoneba)
Does anyone know how to determine if a domain user has local admin rights? Even if that user is nested in a group.
(imported comment written by SystemAdmin)
There are ways to look up effective rights, but beware of doing such a thing as it can actually cause traffic to the Domain Server and if you have all your endpoints doing that it can bring down a domain server.
Local admin might be sufficiently obtained by the "admin privilege of " relevance though. This may or may not follow all the effective permissions but you can try.
(imported comment written by cstoneba)
i understand the domain performance concerns.
I did add a domain account to the local administrators group, and ran "admin privilege of domain user “blah” and it comes back with FALSE. This isn’t a true test because I want to know if a domain user has rights (regardless of if that individual account is part of the local admins, or it is a member of a group is is part of the local admins), but it’s still a place to start.