Manage local administrators

[Odom Member]

Hi,

 

does anyone know an application (free or commercial) for managing local administrators on a Windows 7/8 machine? I know this can be managed via GPO, but what about mobile users?

E.g. If someone calls from Japan saying he is in a meeting room and needs temporary admin permissions to install something, it would be good to be able to let him have it. Maybe something like a self-enrollment. Is anyone familiar with any such tool?

 

Thanks very much,

 

Odom

[Grunt]

Here is your scenario:

 

User: "I need local admin rights to install...uh..some business critical application on my laptop"

 

(incompetent)IT: "Sure, <gives admin rights> Just log off and on again and you'll have permissions. Let us know when you're done so we can remove it"

 

[Months pass]

 

User: "Uh, my laptop is really slow and keeps crashing..."

 

IT: "Oh yes... you had admin rights, I take it you're finished now you've installed itunes, kazaa, emule++, confickr, zeus, Super fantastic mega anti spyware removal 2015, bonzi buddy, ask toolbar, and every other form of crapware in existance?"

 

 

One thing I've learned in my years of IT Support, NEVER EVER give a user admin rights (unless being supervised by a competent IT analyst)

Generally, all software should be managed by IT. It's controlled and secure. otherwise, it WILL bite you in the ass. And if you're the one who gave a user admin rights, you'll be held accountable for damages.

 

But if you really must give a user admin rights, use GPO to add a domain security group to the local administrators group and manage access to that security group from AD and review it DAILY.

If they're off the network, tough.

[Odom Member]

Hi,

 

thanks for the tips. I am fully aware of the risks and how to do it via GPO. That is why I asked if anyone knew of an application that would allow for this scenario. For instance, the user can invoke this tool to grant himslef local admin permissions for a certain amount of time, after which the permissions will be removed again. This would also be centrally stored and reviewed.

The tool doesn't have to work exactly this way, I am just wondering if anyone has any experience and knows of tools that would allow something like this.

[Grunt]

I like the idea, though I doubt such an application exists.

 

If a standard user logs in and is added to the local admin group, they aren't granted those rights straight away. They will have to log out and in again for the access token to update.

Same as if they have admin rights - the app would have to force a logoff after this time limit to revoke the access token. Forcing people to log off usually upsets people.

 

Saying that though, an adept powershell scriptwriter might be able to put something together.

• Add user to local admin (using SYSTEM account somehow)
• Set a scheduled task to re-run the script in reverse in [20/30/60 minutes]
• prompt the user they have 2min to save their ###### before getting logged off

[Shaun N.]

If a program needs elevated privileges we use a program called "sudo" so once set up you right click the icon and click sudo, then it prompts you for your windows password. Enter it and it runs it as admin.

[mps69]

We have such a system at my place of work, where we allocate ourselves admin rights for a period of time, from hours up to 30 days.

It is subject to auditing by our IT department, and if your caught installing anything which does not comply with company policy you're in deep doodoo.

I can't find any details on it, it looks very bespoke. I will say it works well, and it's freed up our service desk do work on real issues.

If I find out more details about it, I'll report back.

 

 

[Odom Member]

Hi,

 

that kind of application is exactly what I am looking for. We could also built in an admin account (local) and if need be give the user the password. But this is impractical, as once the password is out it spreads quickly, and constantly having to reset it is also not practical.Such systems have too much overhead.

 

@mps69

It would be great if you could give me more information on that tool.

 

Thanks

 

Odom

[mps69]

After having to wait until my contact to come back for holiday I've found out this is, as I suspected, an ad-hoc bit of software build in-house for us.

Unfortunately I don't have access to this team.

All I do know it was build using Powershell scripting....if that helps in any way.

I think what this does prove that it can be done.

Sorry I can't be any more help at this time.