Howto evaluate if current user is of administrators group?

Hi there,

I found a couple of APIs to ask Win32 if the current user belongs to
administrators group. But most of them looking very confusing and
complicated. Others seem to only work in different networking
infrastructure, as domains or such. Found:

NetUserGetInfo() + NetGroupGetUsers()
GetSecurityInfo()
PrivilegeCheck()
LsaOpenPolicy() + LookupAccountName()/LsaLookupNames() +
LsaEnumerateAccountsWithUserRight()
AccessCheck()

very confusing!

I wonder if there is a "Best Current Practice" to see if the current
user is "admin" or "normal user". Something simple which only returns a
BOOL value for that check.

Any hints?

--
Mai Kee Reiss

Maxim
Sat Jul 19 14:56:47 CDT 2008

> NetUserGetInfo() + NetGroupGetUsers()
> GetSecurityInfo()
> PrivilegeCheck()
> LsaOpenPolicy() + LookupAccountName()/LsaLookupNames() +
> LsaEnumerateAccountsWithUserRight()
> AccessCheck()
>
> very confusing!

OpenThreadToken + GetTokenInformation(TokenGroups), then scan for admin group
well-known SID.

Also you can rely on some privileges like "backup files" or so.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

kareem114
Sat Jul 19 19:16:59 CDT 2008

Hi Maxim,

>OpenThreadToken + GetTokenInformation(TokenGroups), then scan for admin
>group
>well-known SID.

>Also you can rely on some privileges like "backup files" or so.

Yeah ACK, but there other ways and a undocumented function, where
i dont know if its still available in vista (someone check please!), but
i think so:

[advpack.dll]
BOOL WINAPI IsNTAdmin( DWORD dwReserved, DWORD *lpdwReserved );

or use this:

BOOL IsAdmin(void)
{
HANDLE hAccessToken;
UCHAR InfoBuffer[1024];
PTOKEN_GROUPS ptgGroups = (PTOKEN_GROUPS)InfoBuffer;
DWORD dwInfoBufferSize;
PSID psidAdministrators;
SID_IDENTIFIER_AUTHORITY siaNtAuthority = SECURITY_NT_AUTHORITY;
UINT x;
BOOL bSuccess;

if(!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE,
&hAccessToken )) {
if(GetLastError() != ERROR_NO_TOKEN)
return FALSE;
//
// retry against process token if no thread token exists
//
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,
&hAccessToken))
return FALSE;
}

bSuccess = GetTokenInformation(hAccessToken,TokenGroups,InfoBuffer,
1024, &dwInfoBufferSize);

CloseHandle(hAccessToken);

if(!bSuccess )
return FALSE;

if(!AllocateAndInitializeSid(&siaNtAuthority, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&psidAdministrators))
return FALSE;

// assume that we don't find the admin SID.
bSuccess = FALSE;

for(x=0;x<ptgGroups->GroupCount;x++)
{
if( EqualSid(psidAdministrators, ptgGroups->Groups[x].Sid) )
{
bSuccess = TRUE;
break;
}

}
FreeSid(psidAdministrators);
return bSuccess;
}

I am not big fan of undocumented stuff, but this IsNTAdmin works
just fine,...!

Regards

Kerem

--
-----------------------
Beste Grüsse / Best regards / Votre bien devoue
Kerem Gümrükcü
Latest Project: http://www.codeplex.com/restarts
Latest Open-Source Projects: http://entwicklung.junetz.de
-----------------------
"This reply is provided as is, without warranty express or implied."

chris
Sun Jul 20 10:36:00 CDT 2008

On Jul 19, 2:56 pm, "Maxim S. Shatskih" <ma...@storagecraft.com>
wrote:

> Also you can rely on some privileges like "backup files" or so.

Totally incorrect, you can be an Administrator but not have backup
rights.

Maxim
Sun Jul 20 10:53:39 CDT 2008

> Totally incorrect, you can be an Administrator but not have backup
> rights.

For some products (products allowing sector-wise disk reads, for instance), the
notion of "administrator" as "having a backup privilege" makes sense. It should
be documented though.

By default, the administrators group has this privilege.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Ray
Mon Jul 21 12:48:53 CDT 2008

Fundamentally, the right thing to do is check for the privilege you need
in order to do whatever it is that you want to do.

If you want to install a driver, check for the driver install privilege
(though for annoying reasons, installing drivers does actually require
being in the admin group, at least before Vista... not sure about
after... it shouldn't, but I haven't checked).

If you want to write to a system directory, check whether you have write
access to the directory. Etc. Etc.

Administrators don't necessarily have to have all the privileges enabled
(though it's a rare system indeed where they don't have the "add
privilege" priv, so that's kind of moot in practice... other than
requiring writing lots of annoying code if you want to take advantage of
it).

But perhaps the easiest way is to just manifest your application to
require administrator privileges, and let UAC take care of it (or let
people run it manually as admin if they are so foolish as to turn off
UAC... they probably (hehe) know what they are doing in that case).

Mai Kee Reiss wrote:
> Hi there,
>
> I found a couple of APIs to ask Win32 if the current user belongs to
> administrators group. But most of them looking very confusing and
> complicated. Others seem to only work in different networking
> infrastructure, as domains or such. Found:
>
> NetUserGetInfo() + NetGroupGetUsers()
> GetSecurityInfo()
> PrivilegeCheck()
> LsaOpenPolicy() + LookupAccountName()/LsaLookupNames() +
> LsaEnumerateAccountsWithUserRight()
> AccessCheck()
>
> very confusing!
>
> I wonder if there is a "Best Current Practice" to see if the current
> user is "admin" or "normal user". Something simple which only returns a
> BOOL value for that check.
>
> Any hints?
>


--
Ray

Mai
Wed Jul 23 15:37:38 CDT 2008

Hi Ray,

again you say someting like "just manifest your application to require
xxx privileges". There must be some background, I have completely missed
the last years!
How Do I? What Tools do I need to use?

> Fundamentally, the right thing to do is check for the privilege you need
> in order to do whatever it is that you want to do.

I really hoped, you'll say this, because it fits in the picture I have
in mind ;-)

> If you want to install a driver, check for the driver install privilege
> [....] Administrators don't necessarily have to have all the privileges
> enabled [....]

I hoped, you'll also say this...

Okay. Let me tell, how I understand things and then please correct me,
where I'm wrong, yes?

In the past I wrote programs only for both admins and users. Programs,
which where able to say at some point:
"Sorry, insuficient rights! Please cry for your admin" - for instance
when called with commandline param "-U uninstall service" or such. Or,
when not beeing admin, or not having write access to HKLM, some parts of
the menues have been disabled. I'm shure you can imagine that kind of
tools I talk about.

If I understand you right, I have to split this up now into /two/ .exe
files, one with an "user Manifest" (and without the "-U" option or boss
menues) and one with an "Admin Manifest" (and with all that dangerous
options inside).
Right?
And what is a manifest and how can I create one and how can I attach it
to the app?

:-?
Mai Kee


> Mai Kee Reiss wrote:
> > Hi there,
> >
> > I found a couple of APIs to ask Win32 if the current user belongs to
> > administrators group. But most of them looking very confusing and
> > complicated. Others seem to only work in different networking
> > infrastructure, as domains or such. Found:
> >
> > NetUserGetInfo() + NetGroupGetUsers()
> > GetSecurityInfo()
> > PrivilegeCheck()
> > LsaOpenPolicy() + LookupAccountName()/LsaLookupNames() +
> > LsaEnumerateAccountsWithUserRight()
> > AccessCheck()
> >
> > very confusing!
> >
> > I wonder if there is a "Best Current Practice" to see if the current
> > user is "admin" or "normal user". Something simple which only returns a
> > BOOL value for that check.
> >
> > Any hints?
> >
>
>
>

--
Mai Kee Reiss

Mai
Wed Jul 23 15:47:38 CDT 2008

Hi Maxim, Chris,

> > Totally incorrect, you can be an Administrator but not have backup
> > rights.
>
> For some products (products allowing sector-wise disk reads, for instance), the
> notion of "administrator" as "having a backup privilege" makes sense. It should
> be documented though.
>
> By default, the administrators group has this privilege.

please let me refine my question, now I have better understanding!

I think I'll need to search for privilleges ony. This way, Chis is
right. In most cases, Admin group would fit this, Maxim is right, too.

But the more I think about it, the more I don't want to rely an the
groups thing but on the privilleges!

Now the new question is:
1) How to find out, which privilleg I need to have?
2) how to check programatically, if current process has this one?

regarding ... how to find out, which privilleg I need ...
Is there, for instance, a "write to HKLM" priv? (no relation to my
other post, just a sample). Or, which priv is for writing into %
SYSTEMROOT% ? Which priv is for writing into %ALLUSERSPROFILE% ? Which
is for restoring backup files?


--
Mai Kee Reiss

chris
Wed Jul 23 18:26:31 CDT 2008

On Jul 20, 10:53 am, "Maxim S. Shatskih" <ma...@storagecraft.com>
wrote:

> > Totally incorrect, you can be an Administrator but not have backup
> > rights.
>
> For some products (products allowing sector-wise disk reads, for instance), the
> notion of "administrator" as "having a backup privilege" makes sense. It should
> be documented though.

More nonsense. What does this even mean? Who cares if it "makes
sense" (to you)? You can't assume you have the privilege, end of
story.

Maxim
Fri Jul 25 08:26:28 CDT 2008

> More nonsense. What does this even mean? Who cares if it "makes
> sense" (to you)? You can't assume you have the privilege, end of
> story.

1. Product has documented that, in this product, the notion of "Administrator"
means - "one with backup privilege". This is a design choice of this particular
product.

2. Product uses privilege checks except of SeIsTokenAdmin and searching for
admin SID in user mode.

3. If somebody will have backup privilege disabled for admins (not a major
percentange of installed Windows base, I would say - extemely minor) - then the
technical support can point him/her to the documentation where it is written
about the backup privilege.

End of story.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Ray
Fri Jul 25 19:45:37 CDT 2008

Here's a reasonable tutorial on how to add a manifest to your app:

http://www.professionalvisualstudio.com/blog/2007/10/05/enabling-your-application-for-uac-on-vista/

In terms of having an app that both admin and non-admin users can do
stuff with, I haven't don't much in that line, however, my understanding
is that apps are either running with an admin token or not, and there
isn't a way to "add one" later. That may have changed since the last
time I looked.

One way to do this is, as you say, to split out the "admin-requiring"
stuff into a separate exe that is manifested to "requireAdministrator".
There's some more information here:
http://codefromthe70s.org/vistatutorial.asp

It confirms that you have to run an exe separately to have admin privs,
however, you can use CreateProcess to run an app with admin rights, so
you could theoretically keep it all in 1 (un-manifested) exe and re-run
it if you need to elevate.

Mai Kee Reiss wrote:
> Hi Ray,
>
> again you say someting like "just manifest your application to require
> xxx privileges". There must be some background, I have completely missed
> the last years!
> How Do I? What Tools do I need to use?
>
>> Fundamentally, the right thing to do is check for the privilege you need
>> in order to do whatever it is that you want to do.
>
> I really hoped, you'll say this, because it fits in the picture I have
> in mind ;-)
>
>> If you want to install a driver, check for the driver install privilege
>> [....] Administrators don't necessarily have to have all the privileges
>> enabled [....]
>
> I hoped, you'll also say this...
>
> Okay. Let me tell, how I understand things and then please correct me,
> where I'm wrong, yes?
>
> In the past I wrote programs only for both admins and users. Programs,
> which where able to say at some point:
> "Sorry, insuficient rights! Please cry for your admin" - for instance
> when called with commandline param "-U uninstall service" or such. Or,
> when not beeing admin, or not having write access to HKLM, some parts of
> the menues have been disabled. I'm shure you can imagine that kind of
> tools I talk about.
>
> If I understand you right, I have to split this up now into /two/ .exe
> files, one with an "user Manifest" (and without the "-U" option or boss
> menues) and one with an "Admin Manifest" (and with all that dangerous
> options inside).
> Right?
> And what is a manifest and how can I create one and how can I attach it
> to the app?
>
> :-?
> Mai Kee
>
>
>> Mai Kee Reiss wrote:
>>> Hi there,
>>>
>>> I found a couple of APIs to ask Win32 if the current user belongs to
>>> administrators group. But most of them looking very confusing and
>>> complicated. Others seem to only work in different networking
>>> infrastructure, as domains or such. Found:
>>>
>>> NetUserGetInfo() + NetGroupGetUsers()
>>> GetSecurityInfo()
>>> PrivilegeCheck()
>>> LsaOpenPolicy() + LookupAccountName()/LsaLookupNames() +
>>> LsaEnumerateAccountsWithUserRight()
>>> AccessCheck()
>>>
>>> very confusing!
>>>
>>> I wonder if there is a "Best Current Practice" to see if the current
>>> user is "admin" or "normal user". Something simple which only returns a
>>> BOOL value for that check.
>>>
>>> Any hints?
>>>
>>
>>
>


--
Ray

Pavel
Wed Aug 06 01:09:21 CDT 2008

>> NetUserGetInfo() + NetGroupGetUsers()
>> GetSecurityInfo()
>> PrivilegeCheck()
>> LsaOpenPolicy() + LookupAccountName()/LsaLookupNames() +
>> LsaEnumerateAccountsWithUserRight()
>> AccessCheck()
>>
>> very confusing!
>
> OpenThreadToken + GetTokenInformation(TokenGroups), then scan for admin
> group
> well-known SID.


The recommended way of doing this is CheckTokenMembership.

Enumerating SIDs in the token is more complicated and error prone
(you need to make sure you handle deny-only SIDs properly, etc).

Avoiding such checks if possible is even better (just try whatever
operation you're going to do and see if it works or fails with access
denied).
This way administrators can delegate functions to lower privileged users.

--
This posting is provided "AS IS" with no warranties, and confers no
rights.

Pavel
Wed Aug 06 05:26:10 CDT 2008

Pavel Lebedinsky [MSFT] wrote:
>..........
> Avoiding such checks if possible is even better (just try whatever
> operation you're going to do and see if it works or fails with access
> denied).
> This way administrators can delegate functions to lower privileged users.

Hi there in MSFT,

Just trying was fine on WinXP, but on Vista it triggers the nasty UAC
popup.

Other posters here suggested to open things with MAXIMUM_ALLOWED access.
However, use of MAXIMUM_ALLOWED is not documented in MSDN
It is briefly mentioned in filesystem drivers section, even noted
that fastfat doesn't support it...

Is there any KB or technet article about checking access rights in
runtime, and proper use of MAXIMUM_ALLOWED?

Regards,
--PA

Pavel
Thu Aug 07 02:21:40 CDT 2008

>> Avoiding such checks if possible is even better (just try whatever
>> operation you're going to do and see if it works or fails with access
>> denied).
>
> Just trying was fine on WinXP, but on Vista it triggers the nasty UAC
> popup.

If user does not have access (doesn't matter if it's on Vista or XP), most
operations should fail with access denied (file/registry operations on Vista
might succeed if virtualization is enabled). You should only get a UAC
popup if you try to do something like launch an app that has a manifest
requiring admin rights.

> Other posters here suggested to open things with MAXIMUM_ALLOWED access.

I wouldn't recommend this. Ideally, all code should ask only for those
rights it really needs (potentially retrying with less access if the first
attempt
fails).

--
This posting is provided "AS IS" with no warranties, and confers no
rights.