+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Scripts Thread, grant temp admin rights in Coding and Web Development; This is probably a tall order. At a privious job I was at someone had developed a script to grant ...
  1. #1

    Join Date
    Apr 2007
    Location
    Cedar Rapids, Iowa
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    grant temp admin rights

    This is probably a tall order. At a privious job I was at someone had developed a script to grant temporary local admin rights to a user. (for the purpose of allowing users to install software.)

    I think the script was vbs based. I was just wondering if anyone had seen anything like this.

    The only way I can come up to do this, in theory, is for a script to add the currently logged on user to the local admin group of the computer and at the same time create a scheduled task that will remove the rights in x amount of time.

    There are some obvious flaws with this approach though. I also found this http://blogs.msdn.com/aaron_margosis...24/193721.aspx
    but I haven't had time to look into it yet to see if it what I'm looking for.

    Thanks.

  2. #2

    Join Date
    Jul 2005
    Location
    Rugby
    Posts
    432
    Thank Post
    17
    Thanked 66 Times in 61 Posts
    Rep Power
    35

    Re: grant temp admin rights

    Surely you could just get the script to launch the setup routine using the runas command

    ie

    runas [credentials] setup.exe

    Matt

  3. #3

    Join Date
    Jan 2007
    Location
    Bristol
    Posts
    18
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: grant temp admin rights

    we found runas to be very simple and limited
    we're using lsrunase which does allow to pass user/pass in encrypted format
    more info:
    http://www.moernaut.com/default.aspx?item=lsrunase

  4. #4

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,460
    Thank Post
    646
    Thanked 1,614 Times in 1,444 Posts
    Rep Power
    419

    Re: grant temp admin rights


  5. #5

    Join Date
    Apr 2007
    Location
    Cedar Rapids, Iowa
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: grant temp admin rights

    Quote Originally Posted by saundersmatt
    Surely you could just get the script to launch the setup routine using the runas command

    ie

    runas [credentials] setup.exe

    Matt
    That would be one way to do software installs. However, I think that method will cause an installer to run under a different security context than the account that is logged in. (I've run into problems with that before with program installers that only install per user. It really depends on the application installer.) I'll investigate that option a little more though.

    Currently, when we have a situation that required admin rights for installation under the security context of the user that is logged in, we have to that user out, login as an admin, grant that user admin rights, logout, have the user log back in and install the program, and then we would need to log back in to remove the admin rights.

    I may just write something to do this as a desktop app. After thinking about it a little more, it's possible to query a computer the currently logged in AD username. That user could then be added to the local admin group. A logoff would be required. The admin rights for that user could then be removed using a computer startup script or through my previous idea of a scheduled task (or both).

    Of course I may be making a relativly simple issue more complex than it needs to be.

  6. #6
    mrcrazy04's Avatar
    Join Date
    Nov 2006
    Location
    Bedfordshire/Cheltenham, UK
    Posts
    259
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    17

    Re: grant temp admin rights

    Just one problem with a scheduled task - administrators can delete them!
    This means you would still have to check that their admin rights are removed.

  7. #7

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: grant temp admin rights

    That user could then be added to the local admin group
    Not by a desktop app running in the users context.. and if you've found some magic to make that desktop app run as local system or admin you shouldn't need to add anyone anywhere.

    Personally, if that program couldn't be installed after repackaging as an MSI I'd be on to their support (probably asking for a refund). What is it BTW?

  8. #8

    mattx's Avatar
    Join Date
    Jan 2007
    Posts
    9,240
    Thank Post
    1,058
    Thanked 1,068 Times in 625 Posts
    Rep Power
    740

    Re: grant temp admin rights

    AutoIT allows this with the RunAsSet command:

    RunAsSet("administrator", @ComputerName, "PASSWORD")
    Run - WHAT EVER
    RunAsSet()

    I have used this sometimes to stop a service to run something etc...

    Example:

    SplashTextOn("aoe2", "Getting Ready To Launch Age Of Empires." & @CRLF & "Please Wait...", "350", "70", "-1", "-1", 3, "", "", "")
    Sleep(3000)
    BlockInput(1)
    RunAsSet("administrator", @ComputerName, "PASSWORD")
    Run(@ComSpec & ' /c net stop SharedAccess', '', @SW_HIDE)
    RunAsSet()
    Sleep(5000)
    SplashOff()
    BlockInput(0)
    I don't like to use it, but its got me out of some sticky problems...

    Hope that helps or gives you some pointers.

  9. #9

    Join Date
    Apr 2007
    Location
    Cedar Rapids, Iowa
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: grant temp admin rights

    Quote Originally Posted by mrcrazy04
    Just one problem with a scheduled task - administrators can delete them!
    This means you would still have to check that their admin rights are removed.
    yeah I was considdering that. There really is no good way to do this without being able to hide the scheduled task. I suppose there could be a AD start up script that could reset admin rights to default at every computer bootup.

  10. #10

    Join Date
    Apr 2007
    Location
    Cedar Rapids, Iowa
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: grant temp admin rights

    Thank you everyone for all the input. I'm positive that something to do this could be setup but I don't think it could be done securely given the nature of what local admin rights gives a person.

    If I ever do get something written I'll post my solution.

  11. #11
    eean's Avatar
    Join Date
    May 2006
    Location
    Kuala Lumpur
    Posts
    559
    Thank Post
    65
    Thanked 52 Times in 37 Posts
    Rep Power
    29

    Re: grant temp admin rights

    Quote Originally Posted by mattx
    AutoIT allows this with the RunAsSet command:
    AutoIt would be better than a plain VBS script because you can compile it into an exe and encrypt the script in the process. Probably not 100% bullet proof but would stop the idle fiddler from RH clicking and viewing the script in notepad to get the admin password.

  12. #12

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,460
    Thank Post
    646
    Thanked 1,614 Times in 1,444 Posts
    Rep Power
    419

    Re: grant temp admin rights

    lsrunas has been superceeded by supercrypt.

    http://www.moernaut.com/default.aspx?item=supercrypt

    Just tried it with msixec and installing an msi and it works a treat.

    I have a program that is specific to mfl and allocating msi's to laptops doesn't allways work but this way I can give them a library of stuff they can install themselves.

    Ben

  13. #13

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: grant temp admin rights

    lsrunas has been superceeded by supercrypt.
    Eww.. lsrunase has snake-oil for it's reusable password encryption. Supercrypt should be safer[1], but the name suggests otherwise. That's probably unfair but..

    [1] Same principle as older "cpau" from joeware.net (which has a good caution on security limits in the FAQ)

    FWIW you can write a command line "create process as user" util in fewer than 50 lines of dotNet2 (pick your language) which compiles to a ~ 5KB executable.

  14. #14

    Join Date
    Sep 2007
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: grant temp admin rights

    Hello everyone,

    i was reading your comment and i am now looking for you help.
    i am an idiot in coding but i search for a script tha will grant my Active Directory account to the group of the local machine administrator group.

    i am workin in a firm where my AD account as limited rights, but for business i regularly need have the local machine admin rights.

    i ask my IT guy, he is not able to give me this rights, because he can give me only AD admin rights, but it is against the policy.

    everytime i have to do something i must log off from my AD account, relogin as local admin, manually grant my AD account to the local admin group, log off and relogin with my AD account.
    this rights stay granted until i log off again (the company run a script that force all the right to respect the policy), unfortunatly i must do it everday.

    i am now looking for a script that i would run from my AD account (clicking right and run as local admin) and that will automatically give the loacal admin right to my AD account.

    does it makes sense for you? does somebody knows how to do it?

    thank you for you help

    harlock

  15. #15

    Join Date
    Jul 2007
    Location
    Devon
    Posts
    233
    Thank Post
    8
    Thanked 9 Times in 8 Posts
    Rep Power
    16

    Re: grant temp admin rights

    As memory serves you just need to be part of the AD Built-In "Administrators" Group...

    I think...


    The alternative is if you use just one machine, then he can use the computer management tool to remotely add you to the local Administrators group of that particular machine...

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 11
    Last Post: 20th February 2008, 10:14 AM
  2. Temp data entry/admin job, must have CRB based in Bath
    By SpecialAgent in forum Educational IT Jobs
    Replies: 0
    Last Post: 25th October 2007, 11:00 AM
  3. Connection Fails Without Admin Rights
    By MrDylan in forum ICT KS3 SATS Tests
    Replies: 8
    Last Post: 12th May 2006, 12:23 PM
  4. Assistant Network Managers admin rights.
    By tosca925 in forum How do you do....it?
    Replies: 11
    Last Post: 8th December 2005, 01:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •