In one of my PowerShell automation, the automated script needs to run with Admin mode. So to avoid the error during the scrip execution, we need to check whether the script is running in the context of a local administrator account or not.
As per my knowledge, PowerShell doesn’t built-in function or Cmdlet that lets us check whether the logged-in user is a member of the Administrators group. To solve this problem, you need to build a function to check the logged-in user’s security status before the main script execution.
The following PowerShell code can be used to check if the current script is running in the “Run as Administrator” mode or not.
STEP #1: Get logged in user details using a WindowsIdentity object.
You need to use WindowsIdentity class to create a new PowerShell object containing security information about the logged-in user. In the first step, you need to get information about the current user and store it in a variable ($CurrentWindowsIdentity) as shown below.
$CurrentWindowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
Note:
- The System.Security.Principal is the base .NET library. The library can be used by C# and PowerShell.
- The WindowsIdentity.GetCurrent() is a function in the library.
STEP #2: Creating a new object of type WindowsPrincipal, and pass the Windows Identity to the constructor.
As shown in STEP 1, we got the information about the current user and store it in a variable ($CurrentWindowsIdentity). Now using $CurrentWindowsIdentity you need to create a new PowerShell object as shown below and pass the currently logged-in user object.
The WindowsPrincipal class is primarily used to check the role of a Windows user. The WindowsPrincipal.IsInRole method overloads to check the user role by using different role contexts.
For example, if you want to get the logged-in user name then execute $CurrentWindowsIdentity.Name.
$CurrentWindowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($CurrentWindowsIdentity)
STEP #3: Check current user below to Admin using WindowsPrincipal.IsInRole method.
Finally, we need to check does the current user has admin privilege using the .IsInRole method. WindowsPrincipal.IsInRole determines whether the current principal belongs to a specified Windows user group and it will output the Boolean result.
$CurrentWindowsPrincipal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
Note:
- IsInRole(WindowsBuiltInRole) determines whether the current principal belongs to the Windows user group with
the specified WindowsBuiltInRole.
Final Code:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
#Returns a WindowsIdentity object that represents the current Windows user. $CurrentWindowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent() #creating a new object of type WindowsPrincipal, and passing the Windows Identity to the constructor. $CurrentWindowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($CurrentWindowsIdentity) #Return True if specific user is Admin else return False if ($CurrentWindowsPrincipal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)) { Write-Host "Write your logical code to execute in Admin mode" -ForegroundColor Green Write-Host "Admin permission is available and Code is running as administrator" -ForegroundColor Green } else { Write-Warning "Insufficient permissions to run this script. Open the PowerShell console as an administrator and run this script again." } |
Output
Opened PowerShell in Admin privilege
Opened PowerShell in Non-Admin private
Leave A Comment