VBScript program demonstrating how to check for membership in a local group on a computer. The WinNT provider must be used when dealing with local machine accounts. There are several situations that must be accounted for. The domain user can be a member of the local group in any of the following situations:
The complication arises because the WinNT provider does not reveal
nested domain security groups.
The LDAP provider must be used to determine membership in the domain groups. This program uses the
WinNT provider to determine if the user is a member of the local group, or any other local group
nested in the specified local group. If any domain groups are found to be members of the specified
local group, the program switches to the LDAP provider to determine if the user is a member of the
domain group, either directly, or due to group nesting. The program uses the NameTranslate object
to convert the NT names to the Distinguished Names required with the LDAP provider.
This program should work on any 32-bit Windows client that can log onto the domain. Windows NT and Windows 98/95 clients should have DSClient installed. If DSClient is not installed, WSH and ADSI should be installed.
Other methods can be used to check if a user is a member of the local Administrators group. For example, there is a freeware utility called isadmin.exe that can be used to check if the current user has Administrative rights on the local computer. You can also attempt to perform some action, such as writing a value to the local registry, which can only be done by members of the local Administrators group. The code can trap the possible error, and thus determine if the current user has sufficient permissions, which would imply membership in the local Administrators group. However, none of these techniques will work for testing membership in other local groups. In addition, they either require third party tools, or assume certain permissions are only granted to members of the local Administrators group.
This VBScript program will not reveal membership in the "primary group" of the user. If the user is a member of the local group by virtue of membership in their "primary group" (perhaps the designated "primary" group has been made a member of the local Administrators group), this program will not reveal that.
IsMember9.txt <<-- Click here to view or download the program