February 27, 2015

[SUDO]masochistic - Am I running as Admin???

Does it not make you grumpy when you load up a Powershell console and you forgot to run it as an Admin.  This is a security thing right, you know don’t always run as an admin, elevate when you require it etc…. meh! SUDO do one!… makes me grumpy! Only cause I’m an idiot who forgets to “run as”.

As we all know Grumpy Admin is a real lazy admin, and sometime I make mistakes like running Powershell as the wrong user!… so what I did was I created a small Powershell function that just warns me if I am not running as an Admin.

Simple – But how do I get that to load each time? Well I put it in one of my Powershell profiles… There are four actual profiles but that will take away another blog for the future so errr what I will just cover one of them here. Profile, sounds handy I hear you say, is that a new feature? Well since inception Powershell has had a neat feature call profiles. You should have come across it but if you haven’t then go spend some time on Google. It will be worth your while 🙂

Your profile is  where you can load modules, configure alias’s put in whole functions that get executed when you load you Powershell console. I seen some profiles that ask for your domain credentials and convert them and store them as PSCredential object – which can be mighty useful! I might knock out and example of that.

Be-warned that depending on the scope and the profile used some applications that launch Powershell in the background due to the nature of their purpose can also execute code in your profile script which might hurt or slow down the applications. Or if someone bad wanted to do something bad, then maybe putting code in your profile to execute might be a good way of doing it?

Now lets do this then – lets make a profile that will have a function in it that will write a warning  to the console if you have not got Administrator rights!

First lets check to see if we have a profile already! This can be done just type the Test-Path cmdlet followed by the handy Powershell variable $profile

Test-Path $profile

it will either return with True or False.

Great so if it is true we can simply do a Notepad $Profile and add in our code, save it and bing bang boo! If it False then we need to touch the file and then edit it! Grumpy Admin loves all the rude IT terms, like Touch, Fork! lol can’t beat them can you?

We can use the new-item -path $profile -type file -force cmdlet for that, followed by notepad $profile. Simple as 3.141

new-item -path $profile -type file -force

so we have our $profile open in notepad – the title will read Microsoft.Powershell_profile.ps1

Now I like putting everything in a function to contain the code don’t want it running away now, and I like to be able to call it from time to time and to allow me to easily cut and paste and merge it in to other scripts, why write code twice when there is ctrl-v… so lets make a basic function

so here is my “basic” function

Function CheckAdminRights
{

}

Good – Write now we need the logic code in there – a simple IF statement should do the trick!

Function CheckAdminRights
{
if ()
{

}
else
{

}
}

Why put the whole if else statement in? There better way to do it Mr Grumpy Admin. Well grumpy admin is lazy and if I do it like this I might save effort down the line!

Right now how to actually check if I have Admin rights, well we know Powershell has access to the security principal name space, so we can hook into that and there is an great function it provides isinrole(). So rather than mess around with correct syntax through trial and error, a quick Google gives me this logic statement to use to return, True or False if the local user is in the Admin role!

([Security.Principal.WindowsPrincipal[Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”)

As this returns either True or False, this will fit nice and neat inside of our if statement – so we can use the boolean logical -eq here!

So our function has grown quickly into

Function CheckAdminRights{
if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”) -eq “True”)
{
}
else
{
}
}

Next we just need it to stick a warning on the console and there we go – save it and test it – I decided to use the Write-Warning for this – just easier that way as it puts in a bright yellow and isn’t dependant on anything else really 🙂

so our final code looks like this :-

Function CheckAdminRights{
if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”) -eq “True”)
{}
else
{Write-Warning “You do not have Administrator rights in this session”}
}

Enjoy, again if you can improve or have comments or can do something cool and funky with this go for it! Post it back and share – Grumpy Admin loves feedback, if its really good feedback I will print it out and feed it to my shredder!   Blog about it 🙂

Hazzy