How do I tell if a certain AD user has admin rights on Windows Server 2003?

It depends if the server is a domain controller or not. If it's not a domain controller, all users have admin rights, who are members of the local Administrators Group (see Computer Management > Local Users and Groups - Administrators.)

If the server is a domain controller, users who a members of the Administrators Group or the Domain Admins Group or the Enterprise Admins group (if there is a forest of domains), have admin rights on that particular server. The Domain Admins Group is by default member of all Administrator groups on all computers that are in the domain.

Here you can find a list of Active Directory built-in Groups and Accounts:

Administrators

After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. The Administrators group has built-in capabilities that give its members full control over the system. The group is the default owner of any object that is created by a member of the group.

Domain Admins

A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.

Enterprise Admins

A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.


You could also run the 'gpresult' command while logged onto the server as the user in question. (if that is possible in this case)

You'll get a nice list of the groups they're a member of, including BUILTIN\Administrators.


Server local groups (such as a server's Administrators group) are not available via AD. You have to look in the Administrators group on the server. This post has a script that will enumerate the local admin group remotely.