Trouble determining admin rights

Wilson WindowWare Tech Support

WinBatch WinBatch+Compiler WebBatch
Home | Tech Database | Tech BBS | White Papers | Purchase

Trouble determining admin rights
Keywords:   Trouble determine admin rights   562 error  Invalid User Name
Question:
Here is my script:
AddExtender("WWWNT34i.DLL") user=wntGetUser(@default) response=wntUserProps("", user, 7) message("The Privilege level is:",response)
When I run it, I get an error:
WIL Extender Error 562: Invalid User Name
I want to find out if the currently logged on ID has admin rights. Right now I am logged on with a domain ID that is in the local admin group, and I am getting this error.
Answer:
The problem is the Definition of Admin rights, especially on a complicated network.
Any old Admin, local machine admin, network admin, god-like admin?
The only method I have ever seen to reliably work is to attempt the desired operation and trap for errors.
Question (cont'd):
Local Admin should do. I need to know whether I'll be able to do the following things:
1) Copy two files into the Windows directory, per DirWindows(0).
2) Change DACs (file permissions) on one of the two to give everyone Change permission.
3) Add items to the Common Start Menu.
Answer:
>1) Copy two files into the
>Windows directory, per
>DirWindows(0).

tempname=strcat(DirWindows(0),"aaatest.txt")
ErrorMode(@off)
handle=FileOpen(tempname,"WRITE")
ErrorMode(@cancel)
if handle!=0
FileClose(handle)
FileDelete(tempname)
endif
if handle is equal to 0 then you can't write to the DirWindows(0) directory or the machine has died.
>
>2) Change DACs (file
>permissions) on one of the two
>to give everyone Change
>permission.

Errormore(@off)
flag=wntAccessAdd(...)
ErrorMode(@cancel)

if flag==0 it did not work


>
>3) Add items to the Common
>Start Menu.
I usually see if I can to a wrtie to HHEY_LOCAL_SYSTEM to check for this.
ErrorMode(@off)
flag=RegSetValue(@REGMACHINE,"some\innocious\place",0)
ErrorMode(@cancel)
Actually this is a pretty good all around admin test. Theoretically imperfect, but I have never seen it fail in practice.
Continuation of Discussion

Question:
I have been investigating the use of wntuserprops. I found this article here that talks about the exact problem I'm having, and several answers are given on how to deal with this. I wanted to see if I could discuss this some more and perhaps get some additional useful tips out of the topic.
Ultimately the answer to that question comes down the the fact that wntuserprops does not work in a complicated network environment. I guess that is true in my case, as I get the same error the original poster did. Our users log onto their computers with a domain account that is in one of the local groups (power users, in this case) and seemingly that is enough to confuse wntuserprops. I'm guessing it only works when the user one is testing is a local account on the machine?
So I have two questions/thoughts on this:

How does wntuserprops work with regards to the group "power users"? The syntax/help file only lists the potential results of "guest" "user" and "admin". This isn't that important a question to me since the call isn't working anyway, so I'm not getting any results.

Given that I cannot get the call to work directly anyway, I like the idea of actually performing a test to check for the presence of the necessary privs to do something admin-like. The third choice listed in the article:
"I usually see if I can to a wrtie to HHEY_LOCAL_SYSTEM to check for this.
ErrorMode(@off) flag=RegSetValue(@REGMACHINE,"some\innocious\place",0) ErrorMode(@cancel)
Actually this is a pretty good all around admin test. Theoretically imperfect, but I have never seen it fail in practice. "
That's an excellent idea, and I intend to use it in my script. This is a good test because after elevating a user (from Power User to Administrator) they in theory are admins (a test that simply looks to see if they are in the admin group will say they are an admin, even immediately after elevation) but in practice, they must logoff/logon before they have the actual rights, so a direct test will be very useful. What I'm curious about is can you elaborate on why you think this test is theoretically imperfect? I am glad to hear that you've never had it fail in practice, that's encouraging.. :D
My thanks for a great product.
Answer:
Theoretically imperfect since an Admin *could* change the Security to the registry to allow some people, groups or everyone to update protected sections of the registry.
If this was done, then the simple test of seeing if you could write to HKEY_LOCAL_MACHINE would indicate that yes you can, and thus the technique would make the program think it had admin rights.
But I have never seen a machine where the admin let this happen.
The general idea is just to test the operation that you want to do, trap errors and see if it worked.
Article ID:   W15201