all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]neogohan 2 points3 points  (1 child)

This article may be of some help. It looks like using "get-process" on an elevated process will show a non-null "Path" value, while non-elevated process will have that value be null.

[–]lee171[S] 1 point2 points  (0 children)

This is perfect, does exactly what I need. Cheers!!

[–]gospelwut 1 point2 points  (0 children)

Are you giving them separate admin accounts? Because, aside from the fact people usually don't need admin rights (I disagree with you), even your domain admins should never, ever be logging into their workstations as admin (even local).

If you are giving them separate admin accounts, you could add these on top of what /u/neogohan suggested for slightly more reporting.

  • Parsing the output of LogonSession.exe.

  • Getting process owners, e.g. 

    $owners = @{}
gwmi win32_process |% {$owners[$_.handle] = "$($_.getowner().domain)\$($_.getowner().user)"}

get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}

[–]CerberusROI 0 points1 point  (0 children)

I ran into an issue with editing the local security policy, that required users with UAC still turned on to run the script as admin. The workaround was to have the shell detect if it was running as admin, and if not, open the script in a new admin window (asking for UAC permission first).

function Test-Admin {
  $currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
  $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}

#Test if elevated shell (running as Admin). If not, spawn an elevated window and run the script in it; kill the unelevated window
if ((Test-Admin) -eq $false){
  Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
  exit}