Differentiate if running as local admin vs domain admin?

[DrLarch 2]

Is there a quick/easy way to differentiate if a script is running as local admin vs. domain admin? IsAdmin() doesn't do this... hence the question. I need a script to behave differently depending on this.

[Earthshine 769]

https://www.autoitscript.com/wiki/Active_Directory_UDF_-_General

The domain admin is granted local admin rights but you will need the active directory UDF most likely to find out if you’re a domain admin

Edited July 20, 2020 by Earthshine

[DrLarch 2]

Thanks - yeah I've used the AD UDF here and there. Was kind of hoping there was a easier quicker way since the AD UDF query is a tad slow. And then I'm assuming one would have to loop through the array _AD_GetUserGroups returns looking for an appropriate OU admin group. Was kind of hoping there would be some more basic way within windows to determine this, but if the domain admin account is only granted local rights, how else would one divine this without querying AD?

So rats, unless anyone else has some other trick up their sleeve.

 

 

[TheXman 572]

38 minutes ago, DrLarch said:

So rats, unless anyone else has some other trick up their sleeve.

You should be able to get the information by running the WHOAMI console command with the appropriate switch(es).

[Subz 791]

_AD_IsMemberOf("Domain Admins", @Username) is the easiest method imho.

[DrLarch 2]

Thanks Xman, WHOAMI works great! And no AD query required...

Edit: Oops, well WHOAMI would have to be used in combination with some kind of AD lookup it seems. WHOAMI just let's you know if it's a local or domain user. And regarding _AD_IsMemberOf, one would need to know the name of the domain admin group, since domain design varies. At least in the domain I work in, there really aren't any global admin accounts for security, only OU/Specific Site Admin accounts.

So it still appears there's no universal way to determine if the user is a domain admin or just a user with local admin rights.

Edited July 21, 2020 by DrLarch

[DrLarch 2]

Would be neat if there was some kind of IsAdmin() function that could return values like:
0 - Not Admin
1 - Local Admin
2 - Domain Admin

But not sure that's even possible...

Edited July 21, 2020 by DrLarch

[argumentum 833]

...can't you try to do a domain admin only query and if failed, you're just local admin ?

[spudw2k 263]

Domain Admin doesn't necessarily grant different permissions than being a local admin.  For most cases, the Domain Admin group is added to devices when they are joined to a domain, but in environments with stricter security requirements, this may not be the case.  I just wanted to point out that Domain Admin membership may not be a universal. 

Having said that, you would know your environment best and if you are sure that the domain admin group is in fact a member of local Administrator groups of all domain joined Windows computers, then enumerating if an account is a member of the Domain Admins group and/or checking the Local Administrators group (or executing permissions if elevated) is your best recourse.

[water 2,642]

Will check when I return to my computer if the AD UDF can help. 

[water 2,642]

According to this article using

net localgroup "Administrators"

will return a list of local admin users.
If you select all AD groups (starting with <domain\> or just by looking for a backslash) and query the members you should get a list all all users with full access to the computer.