How to tell if my user account is a privileged account?

Question

I'm looking for a nuts and bolts answer to this, so if that means digging in to SDDL (or whatever...I want to SEE the "token"), I'm ok with that.

UAC policy settings have two consent behavior options:

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode User Account Control: Behavior of the elevation prompt for standard users

How can I tell (while logged in as the user) if a user account is currently assigned an admin token so that it is not considered a standard user account or if it's an admin not in admin approval mode?

Answer 1

Best solution I could find so far is a combination of things:

• whoami /all

  1. look for builtin\administrators group membership

• check security event log for eventids 4688 and 4689

  1. Be sure to turn on Audit Process Tracking locally: secpol.msc security settings -> local policies -> audit policy
  2. Get-EventLog -LogName Security | Where-Object {($_.eventid -eq 4688) -or ($_.eventid eq 4689)}
  3. Look for the token elevation type in the message of these events:
• "%%1936" Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
• "%%1937" Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
• "%%1938" Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

Thanks to @Clijsters comments above, and to the author of the blog entry here: https://blogs.msdn.microsoft.com/sqlupdates/2015/05/20/understanding-user-account-control-uac-a-brief-summary/

Note on the powershell script in the blog: her script doesn't work if you copy and paste it. You'll need to do some tweaking of your own.

Note on Windows OS versions: Regarding Windows Vista and 7, I'm finding differing information regarding the event log entries. The above findings are based on my testing on Windows 10. Searching around the internet, in Windows 7 and Vista, the event log entries appear to be more straight forward regarding the Token Elevation Type data as described in the "How do I audit elevation?" section of this article: http://programming4.us/security/646.aspx Rather than obfuscating the token type, Win7/Vista apparently give it to you straight as a 1, 2, or 3. YMMV