Is there a way to find out if my application is running under THE Adminitrator accounts?

D

Denis @ TheOffice

Is there a way to find out if my application is running under THE Administrator accounts?

Do not get me wrong here :
I do not want to know if the user is member of the Administrative.
I found that in msdn already.
I want to isolate that the current account is THE Administrator (Not the same).

Thanks
Denis
 
J

Joe Richards [MVP]

You will want to look at GetTokenInformation and retrieve the user's
SID. All administrator account SIDs end with the RID 500. So if the user
SID ends in 500, the account is AN administrator account. To determine
if it is THE administrator account of a specific domain, you need to get
the domain SID and append the 500 RID on it and that will tell you the
full SID of domain's builtin administrator account.

Now I would ask WHY you want that info. If you are building requirements
into an application that requires the builtin administrator account.
Don't. There are companies, the smart ones, that do not use that account
and its password is sealed in an envelope in the safe of some high
ranking executive and doesn't ever come out unless the sky fell. One
company I was at, we didn't use that account for well over 5 years. If
someone came to us with an App that said that it was required, we would
have laughed and escorted them to the door.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
D

Denis @ TheOffice

Do not worry this is not for a mass market software... I would never think of such thing.

The reason why I need that is to prevent my app to do some actions under the Administrator.
My program is made to work only in user mode specific for TS Clients of our servers only.

Denis
 
B

Ben Voigt

Joe Richards said:
You will want to look at GetTokenInformation and retrieve the user's SID.
All administrator account SIDs end with the RID 500. So if the user SID
ends in 500, the account is AN administrator account. To determine if it
is THE administrator account of a specific domain, you need to get the
domain SID and append the 500 RID on it and that will tell you the full
SID of domain's builtin administrator account.

Now I would ask WHY you want that info. If you are building requirements
into an application that requires the builtin administrator account.
Don't. There are companies, the smart ones, that do not use that account
and its password is sealed in an envelope in the safe of some high ranking
executive and doesn't ever come out unless the sky fell. One company I was
at, we didn't use that account for well over 5 years. If someone came to
us with an App that said that it was required, we would have laughed and
escorted them to the door.

Which actually is a pretty good reason to want to do the check.... to make
sure nothing uses the account.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top