Home/ Questions/Q 8334277
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T03:17:35+00:00

I expected this code: WindowsPrincipal principal = new WindowsPrincipal( WindowsIdentity.GetCurrent() ); public bool UserHasAdminRights(

  • 0

I expected this code:

WindowsPrincipal principal = new WindowsPrincipal( WindowsIdentity.GetCurrent() );
public bool UserHasAdminRights( WindowsPrincipal principal, WindowsBuiltInRole role )
{
  bool isAdmin;

  // get the role information of the current user
  if ( principal.IsInRole( role ) )
  {
    isAdmin = true;
  }
  else
  {
    isAdmin = false;
  }
  return isAdmin;
}

to return true when a user is in the Built-in Administrators group.

HOWEVER

MSDN for IsInRole states:

In Windows Vista, User Account Control (UAC) determines the privileges
of a user. If you are a member of the Built-in Administrators group,
you are assigned two run-time access tokens: a standard user access
token and an administrator access token. By default, you are in the
standard user role. When you attempt to perform a task that requires
administrative privileges, you can dynamically elevate your role by
using the Consent dialog box. The code that executes the IsInRole
method does not display the Consent dialog box. The code returns false
if you are in the standard user role, even if you are in the Built-in
Administrators group. You can elevate your privileges before you
execute the code by right-clicking the application icon and indicating
that you want to run as an administrator.

Question is how do I modify this code so that it returns true, if the user is in the built-in Admin group, WITHOUT requiring the user to elevate permissions during/before runtime?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Since I can’t neatly post code in comments, like I can here, let me just suggest some pseudo code

    var user = Windows.GetThisUser( me ); //current method (I said pseudo code)
function CheckIfImAdmin( user ) .... //current method

    proposed method:

    var administrativeUsers = Windows.GetUsersInRole( "admin" ); //use a SID here, much more reliable
foreach(user in administrativeUsers){
  if (user == me) return true;
  return false;
}

    While this may look the same, it’s not. Instead of querying the user to see if it’s currently in a given role (non-escalated aren’t) I’m focusing on who the administrators are and then asking if that group contains the user I want, namely the current user.

    • 0