grant temp admin rights

[mtupker]

This is probably a tall order. At a privious job I was at someone had developed a script to grant temporary local admin rights to a user. (for the purpose of allowing users to install software.)

I think the script was vbs based. I was just wondering if anyone had seen anything like this.

The only way I can come up to do this, in theory, is for a script to add the currently logged on user to the local admin group of the computer and at the same time create a scheduled task that will remove the rights in x amount of time.

There are some obvious flaws with this approach though. I also found this http://blogs.msdn.com/aaron_margosis...24/193721.aspx
but I haven't had time to look into it yet to see if it what I'm looking for.

Thanks.

[saundersmatt]

Surely you could just get the script to launch the setup routine using the runas command

ie

runas [credentials] setup.exe

Matt

[Ch3rub]

we found runas to be very simple and limited
we're using lsrunase which does allow to pass user/pass in encrypted format
more info:
http://www.moernaut.com/default.aspx?item=lsrunase

[plexer]

vbs here:

http://www.tek-tips.com/faqs.cfm?fid=2760

Ben

[mtupker]

Surely you could just get the script to launch the setup routine using the runas command

ie

runas [credentials] setup.exe

Matt

That would be one way to do software installs. However, I think that method will cause an installer to run under a different security context than the account that is logged in. (I've run into problems with that before with program installers that only install per user. It really depends on the application installer.) I'll investigate that option a little more though.

Currently, when we have a situation that required admin rights for installation under the security context of the user that is logged in, we have to that user out, login as an admin, grant that user admin rights, logout, have the user log back in and install the program, and then we would need to log back in to remove the admin rights.

I may just write something to do this as a desktop app. After thinking about it a little more, it's possible to query a computer the currently logged in AD username. That user could then be added to the local admin group. A logoff would be required. The admin rights for that user could then be removed using a computer startup script or through my previous idea of a scheduled task (or both).

Of course I may be making a relativly simple issue more complex than it needs to be.

[mrcrazy04]

Just one problem with a scheduled task - administrators can delete them!
This means you would still have to check that their admin rights are removed.

[PiqueABoo]

That user could then be added to the local admin group

Not by a desktop app running in the users context.. and if you've found some magic to make that desktop app run as local system or admin you shouldn't need to add anyone anywhere.

Personally, if that program couldn't be installed after repackaging as an MSI I'd be on to their support (probably asking for a refund). What is it BTW?

[mattx]

AutoIT allows this with the RunAsSet command:

RunAsSet("administrator", @ComputerName, "PASSWORD")
Run - WHAT EVER
RunAsSet()

I have used this sometimes to stop a service to run something etc...

Example:

SplashTextOn("aoe2", "Getting Ready To Launch Age Of Empires." & @CRLF & "Please Wait...", "350", "70", "-1", "-1", 3, "", "", "")
Sleep(3000)
BlockInput(1)
RunAsSet("administrator", @ComputerName, "PASSWORD")
Run(@ComSpec & ' /c net stop SharedAccess', '', @SW_HIDE)
RunAsSet()
Sleep(5000)
SplashOff()
BlockInput(0)

I don't like to use it, but its got me out of some sticky problems...

Hope that helps or gives you some pointers.

[mtupker]

Just one problem with a scheduled task - administrators can delete them!
This means you would still have to check that their admin rights are removed.

yeah I was considdering that. There really is no good way to do this without being able to hide the scheduled task. I suppose there could be a AD start up script that could reset admin rights to default at every computer bootup.

[mtupker]

Thank you everyone for all the input. I'm positive that something to do this could be setup but I don't think it could be done securely given the nature of what local admin rights gives a person.

If I ever do get something written I'll post my solution.

[eean]

AutoIT allows this with the RunAsSet command:

AutoIt would be better than a plain VBS script because you can compile it into an exe and encrypt the script in the process. Probably not 100% bullet proof but would stop the idle fiddler from RH clicking and viewing the script in notepad to get the admin password.

[plexer]

lsrunas has been superceeded by supercrypt.

http://www.moernaut.com/default.aspx?item=supercrypt

Just tried it with msixec and installing an msi and it works a treat.

I have a program that is specific to mfl and allocating msi's to laptops doesn't allways work but this way I can give them a library of stuff they can install themselves.

Ben

[PiqueABoo]

lsrunas has been superceeded by supercrypt.

Eww.. lsrunase has snake-oil for it's reusable password encryption. Supercrypt should be safer[1], but the name suggests otherwise. That's probably unfair but..

[1] Same principle as older "cpau" from joeware.net (which has a good caution on security limits in the FAQ)

FWIW you can write a command line "create process as user" util in fewer than 50 lines of dotNet2 (pick your language) which compiles to a ~ 5KB executable.

[harlock]

Hello everyone,

i was reading your comment and i am now looking for you help.
i am an idiot in coding but i search for a script tha will grant my Active Directory account to the group of the local machine administrator group.

i am workin in a firm where my AD account as limited rights, but for business i regularly need have the local machine admin rights.

i ask my IT guy, he is not able to give me this rights, because he can give me only AD admin rights, but it is against the policy.

everytime i have to do something i must log off from my AD account, relogin as local admin, manually grant my AD account to the local admin group, log off and relogin with my AD account.
this rights stay granted until i log off again (the company run a script that force all the right to respect the policy), unfortunatly i must do it everday.

i am now looking for a script that i would run from my AD account (clicking right and run as local admin) and that will automatically give the loacal admin right to my AD account.

does it makes sense for you? does somebody knows how to do it?

thank you for you help

harlock

[Lithium]

As memory serves you just need to be part of the AD Built-In "Administrators" Group...

I think...


The alternative is if you use just one machine, then he can use the computer management tool to remotely add you to the local Administrators group of that particular machine...