Reputation: 1208
Check if an arbitrary user is in Administrator Group with Python
Is there a way to check if any given user is in the Administrator's Group?
I know how to check if the current user is an admin using:
import ctypes
print ctypes.windll.shell32.IsUserAnAdmin()
However if I'm logged in as userA, I want to know if userZed has admin privileges.
Any pointers or suggestions would help, it seems I can't track down any documentation on ctypes.windll.shell32.
Upvotes: 3
Views: 1964
Answers (3)
Reputation: 3016
There is no real way to know if a given user has administrator rights (could have domain admin rights, could be in an arbitrary group itself member of local administrator group). The only way to know for sure is to impersonate the user, but you will need the user's password. Once you're the user, you can check if you can write into system32 folder (easy way to check whether you're admin... or the FS ACLs are bad lol) or check anything that needs admin powers, like writing an aribtrary registry key into HKLM then delete it.
If you only want to find out if a current user is in local admin group, I've made a package for this, which provides a number of functions among this one
Install with
pip install windows_tools.users
Usage:
import windows_tools.users as users
# if no user is given, current one is used
is_admin = is_user_local_admin('myuser')
print(is_admin)
Longer answer that makes sure a given user has admin rights (still needs the user password)
My package can impersonate, so you might want to check whether you have full administrator powers by doing the following:
pip install windows_tools.impersonate
pip install windows_tools.securityprivilege
Example
import ctypes
from windows_tools import impersonate
from windows_tools import users
from windows_tools import securityprivilege
with impersonate.ImpersonateWin32Sec(
domain=".", username='someuser', password='somepassword'
):
print(users.whoami())
try:
securityprivilege.enable_privilege("SeSecurityPrivilege")
securityprivilege.disable_privilege("SeSecurityPrivilege")
print('Yay, I have admin superpowers')
except ctypes.WinError:
print('Nope, I am a simple mortal')
Upvotes: 0
Reputation: 89735
import win32net
def if_user_in_group(group, member):
members = win32net.NetLocalGroupGetMembers(None, group, 1)
return member.lower() in list(map(lambda d: d['name'].lower(), members[0]))
# Function usage
print(if_user_in_group('SOME_GROUP', 'SOME_USER'))
Of course in your case 'SOME_GROUP' should be 'administrators'
Upvotes: 1
Reputation: 18921
Here is a website with code to do this:
http://skippylovesmalorie.wordpress.com/tag/python-windows/
I tested it and it works. Can be used as follows, note that the strings HAVE to be unicode or the login will fail:
Python 2.7:
print(user_is_admin(u"johndoe", u"password123", u"MYDOMAIN"))
Python 3.x:
print(user_is_admin("johndoe", "password123", "MYDOMAIN"))
Here's the code, for future reference:
import ctypes
import ctypes.wintypes
def current_user_is_admin():
return user_token_is_admin(0)
def user_is_admin(username, password, domain=None):
"""note that username, password, and domain should all be unicode"""
LOGON32_LOGON_NETWORK = 3
LOGON32_PROVIDER_DEFAULT = 0
token = ctypes.wintypes.HANDLE()
if ctypes.windll.advapi32.LogonUserW(username, domain, password,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ctypes.byref(token)) == 0:
raise Exception("user logon failed")
try:
return user_token_is_admin(token)
finally:
ctypes.windll.kernel32.CloseHandle(token)
def user_token_is_admin(user_token):
"""
using the win32 api, determine if the user with token user_token has administrator rights
"""
class SID_IDENTIFIER_AUTHORITY(ctypes.Structure):
_fields_ = [
("byte0", ctypes.c_byte),
("byte1", ctypes.c_byte),
("byte2", ctypes.c_byte),
("byte3", ctypes.c_byte),
("byte4", ctypes.c_byte),
("byte5", ctypes.c_byte),
]
nt_authority = SID_IDENTIFIER_AUTHORITY()
nt_authority.byte5 = 5
SECURITY_BUILTIN_DOMAIN_RID = 0x20
DOMAIN_ALIAS_RID_ADMINS = 0x220
administrators_group = ctypes.c_void_p()
if ctypes.windll.advapi32.AllocateAndInitializeSid(ctypes.byref(nt_authority), 2,
SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0, ctypes.byref(administrators_group)) == 0:
raise Exception("AllocateAndInitializeSid failed")
try:
is_admin = ctypes.wintypes.BOOL()
if ctypes.windll.advapi32.CheckTokenMembership(
user_token, administrators_group, ctypes.byref(is_admin)) == 0:
raise Exception("CheckTokenMembership failed")
return is_admin.value != 0
finally:
ctypes.windll.advapi32.FreeSid(administrators_group)
Upvotes: 4
Related Questions
- How to check (in template) if user belongs to a group
- Cross-platform way to check admin rights in a Python script under Windows?
- Python - checking if a user has administrator privileges
- Use Python to check if some process is running as administrator
- Determine if current user is in Administrators group (Windows/Python)
- Check multiple users for being admin in windows
- How to check if an account from username and password has admin rights/privileges?
- web2py How to know a user is logged in as admin
- ctypes.windll.shell32.IsUserAdmin() not returning 1 when user is in admins group
- How to check if a given user is a member of the built-in Administrators group?