I expect the simplest way to report would be to output to a file called
something like "Username is GroupName on MachineName.txt"
Appreciate any tips on the leanest way of achieving this.
It's straightforward to determine if the user is a direct member of the
local Administrators group. Bind to both the user and group objects, then
use the IsMember method of the group object, passing the AdsPath of the
user. For example:
===========
Option Explicit
Dim objNetwork, objGroup, objUser
Dim strUser, strComputer, strDomain
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
strUser = objNetwork.UserName
strDomain = objNetwork.UserDomain
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")
If (objGroup.IsMember(objUser.AdsPath) = True) Then
' User is a direct member of the local Administrators group.
Else
' User is NOT a direct member of the local Administrators group.
End If
============
It gets tricky if you need to account for group nesting. I have an example
program demonstrating how to handle this linked here:
http://www.rlmueller.net/IsMember9.htm
This can be used to tell if the user is a member of either the local
Administrators or Power Users groups. It will not handle the situation where
the group name has been changed, or where the user has been given
permissions directly. Sometimes the best way to tell if a user has a
privilege is to attempt to do something that requires it and trap the
possible error. For example, to tell if a user can write to the local
registry you can try to write a value and trap the error if this fails.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--