Script to Temporary Elevate the admin rights to local user
i believe this topic was already discussed , however i could not find a solution .. please help
i need a script ( vb/power shell/bat ) etc which will run on local user with admin privilege ( will package and make it available in application store / software center ( sccm 2012 ) , it will run with admin rights on local computer ) and grant admin privilege
to the local user for 24 hours
My previous org had same, however the source is a .exe file, so not very sure if they have converted script to exe for privacy
November 27th, 2014 4:09am
November 27th, 2014 6:51am
Why do you want to do that? What's the business case behind it?
November 27th, 2014 6:55am
We do not now what is the business case behind it as of now
However i believe it is to grant local user a temp adim rights on permission basis
we had similar package in previous org, which was stored in application store ( self service + sccm 2012)
November 27th, 2014 9:03am
Ok, I ill bite, why bother doing something if there is no business case? This sound like a make work project.
November 27th, 2014 11:41am
While I have seen others do this, I will go further than saying that this is a waste of time and say this is a terrible thing to do. Users with admin permissions, no matter how short the duration exposes their system and your network to all sorts
of nastiness. If you haven't heard of or read about pass the hash, you need to go look it up right now.
November 27th, 2014 11:53pm
Thank you for your suggestion,
we have a test domain, and i would like to use this here
Can anyone help me , with a script which will run on local machine via sccm, grant local admin privilage for 24 hours
November 28th, 2014 7:45am
There's nothing built-in that could do that unfortunately. You would have to create an own solution.
November 28th, 2014 8:06am
To add-on I think something like this is a lot easier to achieve with something like Orchestrator. With ConfigMgr it will be a pain to create something like this, especially with the timing part. You could use a scheduled task for removing the membership
again, but my preference would be something like Orchestrator.
November 28th, 2014 8:24am
Thank you and all for your replies,
could you please help me with steps to achive this task with Orchestrator, i believe the first steps will be to have to integrate Orchestrator first with sccm 2012 R2 ?
December 1st, 2014 4:08am
To give you an idea, have a look at the following link:
This is a very extensive example, including the use of service manager, but it does a very good job of showing the possibilities.
December 1st, 2014 6:49am
Thank you for the reply and suggestion, i have a question
do we have to that user requesting permissions to a group in Active Directory to grant him admin rights
if we add user to "Administrators" group on his local computer , does this too do the job ?
i mean, does it has to be done through AD or can be achieved via client end side changes too
December 1st, 2014 7:18am
It's just an example of how you could do that via Orchestrator, but there are many ways to achieve similar things. Yes, you could also add the user directly to the local administrator group, but that could be a custom (scripting) activity.
December 1st, 2014 8:25am
i am using below script ( powershell ) to write out logged in user
whoami | out-file C:\username.txt
Start-Sleep -s 10
command line is : Powershell.exe -executionpolicy Bypass -file .\Username.ps1
if this is executed as individual package it gives error : that access to the Path C:\username.txt is denied
if i change the Run Mode to "Run with administrative rights" it does the same
if i add the same package in Task sequence it does write out, however writes "nt authority\system" in the txt file insted of logged in user name
if i run the package as a command line in Task sequence giving admin account details, it writes out my admin details in the txt file
Tried using VB script too, does same
My requirement is the script should run locally, and write out current logged in user to the txt file
December 2nd, 2014 9:28am
Not sure how suddently ended up with a small script like that, but it sounds like a permissions issue. To make that script write the user information you need to run it with the user's rights. To make that a succesful action you should write the text file
to a location that the user has acces to.
December 2nd, 2014 10:18am
so far i have achived to add the logged on user to the "Administrators" group, when he runs "Elevateme" package (powershell script ) from software center
Next challange is how to revoke the Admin rights after 24 Hours ?,
1. can we use time stamp ? , is it reliable method
2.other way which came to my mind is, whenever the script ( Elevateme) runs on the client computer, it will simultaniously write a txt file on the server(sharefolder) which will have get date, get hostname, get username
then make other script which will read this txt file every 6 hours and revoke admin rights if their timelimit completes ?
3. create a Configuration iteam to check if admin rights is there, run auto remediation rule to remove admin rights ?, but what if the ci runs on the same day after some time, is there a way to achive it to do only once in the morning etc ?
Please pour in your ideas
December 3rd, 2014 2:58pm
What about modifying the script so it creates a scheduled task that will run in 24hours and remove the user from the group again?
December 3rd, 2014 3:15pm
Remember though that simply removing the user from the group does not remove their admin permissions -- they also have to log out to have their token refreshed. Just another reason why this is a bad idea.
December 3rd, 2014 5:15pm
they also have to log out to have their token refreshed.
Thanks for your input Jason, i can add a step in the script which will log out user at a count down of 5 minutes or so
December 4th, 2014 3:49am
The Application should need to ask Approval every-time a user wants to install it through software catalog, how to achieve this task ?
December 5th, 2014 5:05am
If you're determined to give the North Koreans or Russian mob another attack vector, you can do this: http://www.billamoore.com/2014/11/06/administrator/
December 6th, 2014 2:55am
I am trying to work on revoking the admin rights and i got this below idea, please pour in your thoughts if this is good and will make the whole script independent/standalone ( single script will grant and revoke admin rights)
"a powershell script ( script A)will be deployed to end user computer and it should setup a schedule Task to Run another powershell script ( Script B) at a periodic interval ( every 6 hours)".
Then i will club both Admin rights Granting script + Task scheduler script in one script
March 10th, 2015 2:07am
Well ... the user is admin for 6 hours then. He/she could delete the scheduled task (that removes the admin rights) in that timeframe.
March 10th, 2015 2:52am