Local Administrators against currently-logged-in user?

(imported topic written by MikeP23)

Hi guys,

I’m trying to generate a simple boolean result that’ll tell me whether the currently logged on user has administrative permissions on the client.

I thought of creating a relevance statement along the lines of comparing the membership of the local administrators group (members of local group “Administrators” as string) with the current user (name of current user) but can’t quite get the thing to fly using a “contains” statement. Any ideas?

Of course, this isn’t necessarily going to catch those users not specifically listed there who rely on their group membership for local administrative permissions (Domain Admins for example). Anyone have any better thoughts - maybe something using “admin privilege” instead?

Cheers,

(imported comment written by brolly3391)

MikeP,

I did some experimenting in the relevance debugger and this is what I came up with.

q: exists dacl whose (effective access mode for (name of current user) of it = effective access mode for “administrators” of it) of security descriptor of system folder

A: True

T: 1601.985 ms

I: singular boolean

In english: Does the the security descriptor of the c:\windows\system folder exist? And is the effective access to that folder for the currently logged on user and the local administator account identical?

I have not tested it as a property or in a fixlet. There might be issues with the BES Client running in the system account and not reporting the same as the relevance debugger on these items.

Also, it’s got terrible evaluation times so if you use it as a retrieved property, have it run infrequently.

Cheers,

Brolly

(imported comment written by jessewk)

See this post for additional ideas:

http://forum.bigfix.com/viewtopic.php?id=30

Also, you might try:

exists member whose (it as string as lowercase contains name of current User as lowercase) of local group “Administrators”

(imported comment written by MikeP23)

Great stuff.

I would never have thought of using the dacl against the system folder, cheer Brolly. Run time’s a little sluggish, true, but the result is spot-on! :slight_smile:

The statement (exists member whose (it as string as lowercase contains name of current User as lowercase) of local group “Administrators”) seems to work ok, but the only issue with that is occasional false-positives caused by machine names similar to usernames.

For example, a machine name called “X-FSMITH” would return a TRUE value if the current user was “fsmith”, as it would compare the member “X-FSMITH\Administrator” to the username and return a true. :wink: Although, a little bit of fine-tuning may sort that.

Thanks for you help guys! As it’s only an occasional need (probably during rare reporting) I’ll probably go for the dacl method for accuracy.

(imported comment written by brolly3391)

I just noticed that if there is no user logged on it will generate an error so I added a bit more error checking with an IF. This will also speed things up for machines where there is no current user.

q: if exists current user then exists dacl whose (effective access mode for (name of current user) of it = effective access mode for “Administrators” of it) of security descriptor of system folder else FALSE

A: True

T: 2312.508 ms

I: singular boolean

Interestingly enough, it appears that this method will also catch current users that are local administrators by virtue of being in a domain group. The evaluation times worry me though. What is

effective access mode

actually doing on the system that takes so long? Does it initiate a request to the Domain Controller if the machine is on a domain? Will using it have a noticeable impact on the domain controller or network? Also, if there are identical local and domain user names I am not sure that it will correctly pick the one is logged in for the comparison to the administrators group.

For the other method, try adding in

following text of last “”

to get rid of the domain half of the account and adding the IF to check if the current user exists. That should resolve false positives where the computername contains the username. It’s darn fast but it does not appear to handle indirect group membership by virtue of membership in a domain group. If your local administrative privileges always come from direct membership in the local administrators group then this is the way to go.

q: if exists current user then (exists member whose (following text of last “” of (it as string as lowercase) contains name of current User as lowercase) of local group “Administrators”) else False

A: False

T: 5.745 ms

I: singular boolean

(imported comment written by MikeP23)

Good stuff, thanks Brolly. :slight_smile: