Checking Permissions with Batch Process

There is no denying it… I am a die-hard command-line junkie. When deploying to new systems I have my batch file arsenal with me at all times strictly because it keeps my processes very procedural and standardized. There are times when I come into an environment where the systems have already been deployed. Which makes things a bit challenging especially when dealing with multiple profiles on a single machine. Because of the fact that most of my deployments require SQL Server Express I have batch files setup accordingly that specifies the needed firewall exceptions along with other added automated steps. Just to name a few.

When dealing with existing systems I try to make dual processes 1) when I have admin access and 2) when I don’t have admin access. This all depends on the logged-on user of course. So in order to preserve the natural order of life I do my best to not interfere with user’s settings because it tends to throw them off and generally upsets them. So I keep their environment pretty much intact. In order to maintain consistency I run my dual processes. Not ideal but it works. Of course there are instances where I absolutely require admin access, but for the little items that are merely file placement and such I get by with the separate process.

It sounds like a lot of work, but once you have your batch file laid out the rest is cake. The first thing I do is check to see if the user has elevated privileged. I find trying to query the registry works well in indicating your permission level.

reg query "HKU\S-1-5-19" >NUL
echo %errorlevel%

If I ran this under a user account that is in the Users or Power Users group then the errorlevel will return a value of one.


If ran using an account with admin privledges you will see a value of zero returned.


The next step is to define the process to execute once the permission level has been determined. This is easily directed with the goto statement. Let’s take a look.

@echo off
color 17
reg query "HKU\S-1-5-19" >NUL
If Not %errorlevel% == 0 goto UserDeploy
If %errorlevel% == 0 goto AdminDeploy

::Run this process
goto end

::Run this process
goto end


I added the CLS on line two to clear the “Error: Access is denied.” message that is displayed on the first screenshot.


In terms of the dual processes I setup self-extracting zips to deploy to certain directories based on privileges.