Locksmith2

2026.1.1

Private/Test/Test-IsDA.ps1

                                function Test-IsDA {

    <#

        .SYNOPSIS

        Tests if the current user is a member of Domain Admins.

        .DESCRIPTION

        Checks if the current user is a member of the Domain Admins group by

        examining the user's security token for the well-known RID 512.

        Domain Admins is a domain-level privileged group that grants administrative

        rights within the domain. In single-domain forests, Domain Admins effectively

        have forest-wide privileges.

        This function uses SID-based checks against the user's token, requiring

        no network calls or AD queries, making it fast and reliable even when

        domain controllers are unreachable.

        .INPUTS

        None. This function does not accept pipeline input.

        .OUTPUTS

        System.Boolean

        Returns $true if the current user is a member of Domain Admins.

        Returns $false otherwise.

        .EXAMPLE

        Test-IsDA

        Returns $true if the current user is a member of Domain Admins.

        .EXAMPLE

        if (Test-IsDA) {

            Write-Host "User has Domain Admin privileges"

        } else {

            Write-Host "User does not have Domain Admin privileges"

        }

        Conditionally executes code based on Domain Admins membership.

        .NOTES

        Well-known RID checked:

        - 512: Domain Admins (domain-level administrative group)

        This function checks the current user's security token, so it works offline

        and does not require Active Directory queries. It includes nested group

        memberships as they are expanded in the user's token at logon.

        In multi-domain forests, each domain has its own Domain Admins group.

        This function checks membership in the user's current domain only.

        .LINK

        https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids

        .LINK

        https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory

    #>

    [CmdletBinding()]

    [OutputType([bool])]

    param (

    )

    #requires -Version 5.1

    try {

        $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent()

        Write-Verbose "Checking if user '$($identity.Name)' has Domain Admin privileges"

        $domainAdmins = $identity.Groups | Where-Object { $_.Value -match '-512$' }

        if ($domainAdmins) {

            Write-Verbose "User is member of Domain Admins (RID 512)"

            return $true

        }

        Write-Verbose "User does not have Domain Admin privileges"

        return $false

    } catch {

        $errorRecord = [System.Management.Automation.ErrorRecord]::new(

            $_.Exception,

            'DomainAdminCheckFailed',

            [System.Management.Automation.ErrorCategory]::NotSpecified,

            $identity

        )

        $PSCmdlet.WriteError($errorRecord)

        return $false

    }

}