Script to  Temporary Elevate the admin rights to local user

Hi Friends

i believe this topic was already discussed , however i could not find a solution ..  please help

i need a script ( vb/power shell/bat ) etc which will run on local user with admin privilege ( will package and make it available in application store / software center ( sccm 2012 ) , it will run with admin rights on local computer ) and grant admin privilege to the local user for 24 hours

My previous org had same, however the source is a .exe file, so not very sure if they have converted script to exe for privacy

Thank you

Tanoj

November 27th, 2014 4:09am

Why do you want to do that? What's the business case behind it?
November 27th, 2014 6:55am

Hi Torsten,

We do not now what is the business case behind it as of now

However i believe it is to grant local user a temp adim rights on permission basis

we had similar package in previous org, which was stored in application store ( self service + sccm 2012)

Regards,

Tanoj

Free Windows Admin Tool Kit Click here and download it now
November 27th, 2014 9:03am

Ok, I ill bite, why bother doing something if there is no business case? This sound like a make work project.
November 27th, 2014 11:41am

While I have seen others do this, I will go further than saying that this is a waste of time and say this is a terrible thing to do. Users with admin permissions, no matter how short the duration exposes their system and your network to all sorts of nastiness. If you haven't heard of or read about pass the hash, you need to go look it up right now.  
Free Windows Admin Tool Kit Click here and download it now
November 27th, 2014 11:53pm

Thank you for your suggestion,

we have a test domain, and i would like to use this here

Can anyone help me , with a script which will run on local machine via sccm, grant local admin privilage for 24 hours

Regards

Tanoj

November 28th, 2014 7:45am

There's nothing built-in that could do that unfortunately. You would have to create an own solution.
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2014 8:06am

Hi,

Adds/Delets a global group name or user name to a local group.

net localgroup [GroupName name [ ...] {/add | /delete} [/domain]]

Reference:

Net localgroup

http://technet.microsoft.com/en-us/library/bb490706.aspx

November 28th, 2014 8:17am

To add-on I think something like this is a lot easier to achieve with something like Orchestrator. With ConfigMgr it will be a pain to create something like this, especially with the timing part. You could use a scheduled task for removing the membership again, but my preference would be something like Orchestrator.
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2014 8:24am

Hi Peter,

Thank you and all for your replies,

could you please help me with steps to achive this task with Orchestrator, i believe the first steps will be to have to integrate Orchestrator first with sccm 2012 R2 ?

Regards

Tanoj

December 1st, 2014 4:08am

To give you an idea, have a look at the following link: http://contoso.se/blog/?p=3807

This is a very extensive example, including the use of service manager, but it does a very good job of showing the possibilities.

Free Windows Admin Tool Kit Click here and download it now
December 1st, 2014 6:49am

Hi Peter

Thank you for the reply and suggestion, i have a question

do we have to  that user requesting permissions to a group in Active Directory to grant him admin rights

or

if we add user to "Administrators" group on his local computer , does this too do the job ?

i mean, does it has to be done through AD or can be achieved via client end side changes too

Regards

Tanoj

December 1st, 2014 7:18am

It's just an example of how you could do that via Orchestrator, but there are many ways to achieve similar things. Yes, you could also add the user directly to the local administrator group, but that could be a custom (scripting) activity.
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2014 8:25am

i am using below script ( powershell ) to write out logged in user

whoami | out-file C:\username.txt
Start-Sleep -s 10

command line is : Powershell.exe -executionpolicy Bypass -file .\Username.ps1

if this is executed as individual package it gives error : that access to the Path C:\username.txt is denied

if i change the Run Mode to "Run with administrative rights" it does the same

if i add the same package in Task sequence it does write out, however writes "nt authority\system" in the txt file insted of logged in user name

if i run the package as a command line in Task sequence giving admin account details, it writes out my admin details in the txt file

Tried using VB script too, does same

My requirement is the script should run locally, and write out current logged in user to the txt file

Regards

Tanoj

December 2nd, 2014 9:28am

Not sure how suddently ended up with a small script like that, but it sounds like a permissions issue. To make that script write the user information you need to run it with the user's rights. To make that a succesful action you should write the text file to a location that the user has acces to.
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2014 10:18am

Hi,

so far i have achived to add the logged on user to the "Administrators" group, when he runs "Elevateme" package (powershell script ) from software center

Next challange is how to revoke the Admin rights after 24 Hours ?,

1. can we use time stamp ? , is it reliable method

2.other way which came to my mind is, whenever the script ( Elevateme) runs on the client computer, it will simultaniously write a txt file on the server(sharefolder) which will have get date, get hostname, get username

then make other script which will read this txt file every 6 hours and revoke admin rights if their timelimit completes ?

3. create a Configuration iteam to check if admin rights is there, run auto remediation rule to remove admin rights ?, but what if the ci runs on the same day after some time, is there a way to achive it to do only once in the morning etc ?

Please pour in your ideas

Thank you

Regards

December 3rd, 2014 2:58pm

What about modifying the script so it creates a scheduled task that will run in 24hours and remove the user from the group again?
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2014 3:15pm

Remember though that simply removing the user from the group does not remove their admin permissions -- they also have to log out to have their token refreshed. Just another reason why this is a bad idea.
December 3rd, 2014 5:15pm

they also have to log out to have their token refreshed.

Thanks for your input Jason, i can add a step in the script which will log out user at a count down of 5 minutes or so
Free Windows Admin Tool Kit Click here and download it now
December 4th, 2014 3:49am

Hi Friends,

The Application should need to ask Approval every-time a user wants to install it through software catalog, how to achieve this task ?

Regards

Tanoj

December 5th, 2014 5:05am

If you're determined to give the North Koreans or Russian mob another attack vector, you can do this: http://www.billamoore.com/2014/11/06/administrator/
Free Windows Admin Tool Kit Click here and download it now
December 6th, 2014 2:55am

Hi,

I am trying to work on revoking the admin rights and i got this below idea, please pour in your thoughts if this is good and will make the whole script independent/standalone ( single script will grant and revoke admin rights)

"a powershell script ( script A)will be deployed to end user computer and it should setup a schedule Task to Run another powershell script ( Script B) at a periodic interval ( every 6 hours)".

Then i will club both Admin rights Granting script + Task scheduler script  in one script

Thank you

March 10th, 2015 2:07am

Well ... the user is admin for 6 hours then. He/she could delete the scheduled task (that removes the admin rights) in that timeframe. 
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2015 2:52am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics