Is current User a member of the local Administrators Group?

(imported topic written by rclarke)

Ok, I’ll admit it now, I am being lazy, however time is short and the pressure is great so any help is much appreciated :wink:

I seek a Fixlet that will check to see whether the currently logged on user is a member of the local Administrators group. If not then taking the action will add that user’s domain account to the local administrators group. Does anyone have any pointers, or indeed a Fixlet that fits the bill that they are prepared to share :smiley:

Many thanks,

Rod.

(imported comment written by BenKus)

Try this relevance to detect if there is an admin user logged in (probably works in 7.0 clients only):

exists members whose (sid of it = sid of logged on user) of local group “administrators”

I am not sure if it works in all cases (domain and local users on all Windows OSes), but you can let me know how it works…

Couple notes:

  • It probably won’t work in QnA (because “sid of logged on user” requires SYSTEM privileges), but you can try it as a property…
  • This will return true if any one of the users logged in is an admin.
  • This relevance might trigger an AD domain query, but I am not sure…

And then do you have a command line method of adding a user to the local admin group?

Ben

(imported comment written by rclarke)

Hi Ben,

Many thanks. Your relevance appears to be reporting correctly, although what is slightly odd (but not a problem) is that we get a value of “1” rather than “” for machines which haven’t yet checked in. If you have the command line method for adding a user then it would be very much appreciated.

Rod.

(imported comment written by BenKus)

How about this for the action:

// this next line will fail unless there is just one logged on user
continue if {number of logged on users = 1}
net localgroup “administrators” {sid of logged on user} /add

This is completely untested by me so be sure to try it out… if it works, you should post the Fixlet because I think many people might be interested.

Ben

(imported comment written by rclarke)

Many thanks Ben. All is working, even though you did miss out the all important “dos” command in the Action Scipt :wink:

The quick and dirty Relevance and Action Script are as follows:

(name of operating system is "Win2000" or name of operating system is "WinXP") and (number of logged on users = 1) and (not exists members whose (sid of it = sid of logged on user) of local group "Administrators")

continue if {number of logged on users = 1}
dos net localgroup Administrators {sid of logged on user} /ADD

Many thanks again Ben.

Rod.

(imported comment written by BenKus)

Ooops…

By the way, to suppress the dos box that flashes, you can change the action to:

continue if {number of logged on users = 1}
waithidden cmd.exe /C net localgroup Administrators {sid of logged on user} /ADD

Ben

(imported comment written by bc6591)

Doesn’t this require a log off then log on for the local admin to take effect?

If so, is there a better way to push a change that requires local admin privleges to a current user who does not have local admin privleges? We have many non admin users and would like make changes in one step if possible.

Thanks,

bc

(imported comment written by Tingram91)

This is your only solution, as the current profile in use is not a Bigfix limitation, but the design of the OS.

Once the profile is active, permission changes require a logoff/logon for any changes to take affect.

Unlike a GPO change, there is no gpupdate /force for the desktop admin refresh.

(imported comment written by bc6591)

Thanks for the speedy reply. Is there any kind of “run as” admin type of thing. Of course that requires a username password in the clear probably, right? Or is there some way?

bc

(imported comment written by Tingram91)

yes you could perform a RUNAS to execute something, it would require a username and pass, which is passed in clear text in the logs.

Are you simply trying to execute a installation?

(imported comment written by bc6591)

Usually they are installations or registry changes that are on a per user basis.

What is the basic syntax for something like the RUNAS for the current user or can you point me to an example? I havent found much for examples yet, probably because it is not recommended.

bc

(imported comment written by SystemAdmin)

just browsing the forum looking for things to gain experience on… here’s a task to do this… Copy “code” to a file ending with .bes, then double click it to import into your deployment.

<?xml version=
"1.0" encoding=
"UTF-8"?> <BES xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation=
"BES.xsd"> <Task> <Title>Local Admin::Effect Locally Logged On User</Title> <Description>This could be useful... </Description> <GroupRelevance JoinByIntersection=
"false"> <SearchComponentPropertyReference PropertyName=
"OS" Comparison=
"Contains"> <SearchText>Win</SearchText> <Relevance>exists (operating system) whose (it  as string as lowercase contains 
"Win" as lowercase)</Relevance> </SearchComponentPropertyReference> </GroupRelevance> <Category></Category> <Source>Internal</Source> <SourceID></SourceID> <SourceReleaseDate>2010-12-30</SourceReleaseDate> <SourceSeverity></SourceSeverity> <CVENames></CVENames> <SANSID></SANSID> <MIMEField> <Name>x-fixlet-modification-time</Name> <Value>Thu, 30 Dec 2010 23:35:04 +0000</Value> </MIMEField> <Domain>SCVM</Domain> <Action ID=
"Action1"> <Description> <PreLink>Click </PreLink> <Link>here</Link> <PostLink> to make locally logged on user a member of the local Administrators group.</PostLink> </Description> <ActionScript MIMEType=
"application/x-Fixlet-Windows-Shell"> 

continue 

if 
{number of logged on users = 1
} waithidden cmd.exe /C net localgroup Administrators 
{sid of logged on user
} /ADD </ActionScript> </Action> <Action ID=
"Action2"> <Description> <PreLink>Click </PreLink> <Link>here</Link> <PostLink> to remove locally logged on user from the administrators group.</PostLink> </Description> <ActionScript MIMEType=
"application/x-Fixlet-Windows-Shell"> 

continue 

if 
{number of logged on users = 1
} waithidden cmd.exe /C net localgroup Administrators 
{sid of logged on user
} /DELETE </ActionScript> </Action> <Action ID=
"Action3"> <Description> <PreLink>Click </PreLink> <Link>here</Link> <PostLink> to ADD a specific user or group to the local Administrators group.</PostLink> </Description> <ActionScript MIMEType=
"application/x-Fixlet-Windows-Shell">action parameter query 
"UserGroup" with description 
"Enter User or Group to be ADDED to the Local Administrators Group:"   waithidden cmd.exe /C net localgroup Administrators 
{parameter 
"UserGroup"
} /ADD </ActionScript> </Action> <Action ID=
"Action4"> <Description> <PreLink>Click </PreLink> <Link>here</Link> <PostLink> to REMOVE a specific user or group from the local Administrators group.</PostLink> </Description> <ActionScript MIMEType=
"application/x-Fixlet-Windows-Shell">action parameter query 
"UserGroup" with description 
"Enter User or Group to be REMOVED to the Local Administrators Group:"   waithidden cmd.exe /C net localgroup Administrators 
{parameter 
"UserGroup"
} /DELETE </ActionScript> </Action> </Task> </BES>