VBScript program demonstrating how to check for membership in the local Administrators group on a computer. The WinNT provider must be used when dealing with local machine accounts. There are several situations that must be accounted for. The user can be a member of the local Administrators group in any of the following situations:
The complication arises because the WinNT provider does not reveal
nested domain security groups.
The LDAP provider must be used to determine membership in the domain groups. This program uses the
WinNT provider to determine if the user is a member of the local
Administrators group, or any other local group
nested in the group. If any domain groups are found to be members of the
local group, the program switches to the LDAP provider to determine if the user is a member of the
domain group, either directly, or due to group nesting. The program uses the NameTranslate object
to convert the NT names to the Distinguished Names required with the LDAP provider.
The program uses the well known SID to identify the local Administrators
group. This means the program will work even if the group has been renamed.
The program enumerates all local groups until it finds the one that has the
correct SID value.
This program should work on any 32-bit Windows client that can log onto the domain. Windows NT and
Windows 98/95 clients should have DSClient installed. If DSClient is not installed, WSH
and ADSI should be installed.
This VBScript program will not reveal membership in the "primary group" of the user.
If the user is a member of the local Administrators group by virtue of membership in their "primary group"
(perhaps the designated "primary" group has been made a member of the local Administrators
group), this program will not reveal that.
IsLocalAdm.txt <<-- Click here to view or download the program