VBScript program demonstrating how to check for membership in the local Administrators group on a computer. The WinNT provider must be used when dealing with local machine accounts. There are several situations that must be accounted for. The user can be a member of the local Administrators group in any of the following situations:

  1. The user is a direct member of the local Administrators group on the computer.
  2. The user is a member of another local group that is a member of the local Administrators group. That is, the user is a member by virtue of local group nesting.
  3. The user is a member of a domain group that is a member of the local Administrators group.
  4. The user is a member of domain group which is a member of second domain group, which is a member of the local Administrators group. That is, the domain user is a member by virtue of nested domain groups.

The complication arises because the WinNT provider does not reveal nested domain security groups. The LDAP provider must be used to determine membership in the domain groups. This program uses the WinNT provider to determine if the user is a member of the local Administrators group, or any other local group nested in the group. If any domain groups are found to be members of the local group, the program switches to the LDAP provider to determine if the user is a member of the domain group, either directly, or due to group nesting. The program uses the NameTranslate object to convert the NT names to the Distinguished Names required with the LDAP provider.

The program uses the well known SID to identify the local Administrators group. This means the program will work even if the group has been renamed. The program enumerates all local groups until it finds the one that has the correct SID value.

This program should work on any 32-bit Windows client that can log onto the domain. Windows NT and Windows 98/95 clients should have DSClient installed. If DSClient is not installed, WSH and ADSI should be installed.

This VBScript program will not reveal membership in the "primary group" of the user. If the user is a member of the local Administrators group by virtue of membership in their "primary group" (perhaps the designated "primary" group has been made a member of the local Administrators group), this program will not reveal that.

IsLocalAdm.txt <<-- Click here to view or download the program