In an InstallShield basic MSI project: how can I check whether a user name is in the administrator group?
(Not the current user with which I know it's possible to do so.)
3 Answers
2
votes
0
votes
Users can belong to the 'Administrators' group on the local server or could be part of the 'Domain Admins' or 'Enterprise Admins' groups defined inside your AD. Ideal solution would be to create a DLL with a method called IsUserAdmin(user_name) that takes in a user name parameter and returns either true or false.
Internally, the method will call the IADsUser::Groups method to determine the groups the supplied user belongs to and will return true if the groups enumerated belongs to one of those administrator groups above. If not it will return false. You may invoke this DLL inside your InstallShield projects. Be wary of nested groups.
0
votes
I can think of two approaches, however each would involve writing code over-and-above your install script, I'm not familiar with Installshield any more, but presumably just like Visual Studio setup projects you have the concept of custom actions. I suspect that's what you'll need.
I'll only outline the first because the second is quite complex (i.e. even more complex than the first!). The obvious approach is AD. The following snippet of code will tell you whether a a username/password combination exists. Having obtained the user I'm sure you could work out what groups they're in.
if (true == String.IsNullOrEmpty(userName)) throw new Exception("userName not set");
DirectoryEntry entry = new DirectoryEntry();
entry.Username = userName; // Use the fully qualified name here
entry.Password = password;
string DomainlessUsername = userName.Substring(userName.LastIndexOf('\\') + 1, userName.Length - userName.LastIndexOf('\\') - 1);
// We know straight away that if this is empty, we've drawn a blank!
if (true == String.IsNullOrEmpty(DomainlessUsername)) throw new Exception("userName not set");
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + DomainlessUsername + ")";
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();
if (null == result)
{
throw new Exception("FindOne executed without exception, but result was null");
}
else
{
// some logging here
}
return true;
Now, there is a potential problem here if the account which runs this code does not have privileges to access AD. I won't go into detail in this post because hopefully the code above will be enough to help you, but the basic principle of the alternative approach is to shell out directly to advapi32.dll to functions like LogonUser. (Bear in mind that again, my problem was validating credentials not checking for admin rights, but there's probably a link there if you're prepared to dig).
Hope some of this helps!
