How to check if particular user is domain Admin?
(too old to reply)
2011-01-20 16:40:32 UTC
Hello everyone,

I am trying to determine in my application if particular user is
domain admin or not. I can easially find information on how to check
if user is local admin (in msdn), but there is nothing on domain

Ideally, I would like to check if:

1. User is local admin

2. User is local user, but not local admin (maybe also check for Power
Users group)

3. User is domain admin

4. User is domain user, but not admin

So far, I found a method to get domain SID by using:

LsaQueryInformationPolicy(..., PolicyPrimaryDomainInformation, ...)

Which is working pretty well, so I can say if machine is in domain or
not. Now, having domain SID and user SID, I guess I can check if
user's SID is composed from domain SID?

Any hints on functions to use are appriciated!

2011-01-20 19:29:33 UTC
Use CheckTokenMembership().

SID's can be found at:


You may want to call ConvertStringSidToSid() first. I have posted a VB6
example at the link below, which you can easily convert to another language.
It checks membership in some groups. I am not sure how to do it for Domain
Admins specifically: