Locksmith2

2026.1.1

Private/Test/Test-IsEA.ps1

                                function Test-IsEA {

    <#

        .SYNOPSIS

        Tests if the current user is a member of Enterprise Admins.

        .DESCRIPTION

        Checks if the current user is a member of the Enterprise Admins group by

        examining the user's security token for the well-known RID 519.

        Enterprise Admins is a forest-wide privileged group that exists in the

        forest root domain and grants administrative rights across all domains

        in the forest.

        This function uses SID-based checks against the user's token, requiring

        no network calls or AD queries, making it fast and reliable even when

        domain controllers are unreachable.

        .INPUTS

        None. This function does not accept pipeline input.

        .OUTPUTS

        System.Boolean

        Returns $true if the current user is a member of Enterprise Admins.

        Returns $false otherwise.

        .EXAMPLE

        Test-IsEA

        Returns $true if the current user is a member of Enterprise Admins.

        .EXAMPLE

        if (Test-IsEA) {

            Write-Host "User has Enterprise Admin privileges"

        } else {

            Write-Host "User does not have Enterprise Admin privileges"

        }

        Conditionally executes code based on Enterprise Admins membership.

        .NOTES

        Well-known RID checked:

        - 519: Enterprise Admins (forest-wide administrative group)

        This function checks the current user's security token, so it works offline

        and does not require Active Directory queries. It includes nested group

        memberships as they are expanded in the user's token at logon.

        Enterprise Admins only exists in multi-domain forests. In single-domain

        forests, Domain Admins effectively serve the same role.

        .LINK

        https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids

        .LINK

        https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory

    #>

    [CmdletBinding()]

    [OutputType([bool])]

    param (

    )

    #requires -Version 5.1

    try {

        $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent()

        Write-Verbose "Checking if user '$($identity.Name)' has Enterprise Admin privileges"

        $enterpriseAdmins = $identity.Groups | Where-Object { $_.Value -match '-519$' }

        if ($enterpriseAdmins) {

            Write-Verbose "User is member of Enterprise Admins (RID 519)"

            return $true

        }

        Write-Verbose "User does not have Enterprise Admin privileges"

        return $false

    } catch {

        $errorRecord = [System.Management.Automation.ErrorRecord]::new(

            $_.Exception,

            'EnterpriseAdminCheckFailed',

            [System.Management.Automation.ErrorCategory]::NotSpecified,

            $identity

        )

        $PSCmdlet.WriteError($errorRecord)

        return $false

    }

}