none
Temporary Admin Rights - How to???

    Question

  • Running an AD environment with Win 2008 R2 SP1 and clients with Win 7 SP1. Most part of the clients are in the field, so, the login using cached domain credentials and then establish a VPN to gain access to the business LAN.

    Sometimes, I need to give users temporary administrator rights on their laptops. How can I do this through AD, given the fact that they are not 100% directly connected to the domain LAN??

    I've been thinking to apply a policy (GPO) to make the user Local Admin on his/her laptop. When the user connects the VPN, the GPO would get refreshed but then, when the user is done and I remove the policy, if the user doesn't force a policy refresh he gets Admin rights on that station as long as he remains disconnected from the VPN. Can I use some kind of expiration trick or something??

    Thanks in advance!!!

    Tuesday, November 01, 2011 4:43 PM

Answers

All replies

  • There is no built in expiration controls.  You could write a script that could have some built in controls that you define to remove an account based upon the controls you set.  You could use group policy and impose restricted group settings to add an remove users from the admin group, but yes you would need to have the local machine receive the policy from the domain.

    There is no simple solution for you.

    Restricted Groups:
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

    Scripting of Local Groups
    http://gallery.technet.microsoft.com/scriptcenter/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=localaccount&f%5B0%5D.Text=Local%20Account%20Management&f%5B1%5D.Type=SubCategory&f%5B1%5D.Value=groups&f%5B1%5D.Text=Groups

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, November 01, 2011 6:10 PM
    Moderator
  • Hello,

    Sometimes, I need to give users temporary administrator rights on their laptops. How can I do this through AD, given the fact that they are not 100% directly connected to the domain LAN??

    there is no way other than scripting that can give temporary administrative rights for users on their desktop.

    You can proceed like that if this can help you:

    • Create an account in AD and make it member of local admin groups using Restricted groups in group policies
    • Define the account as an account that expires after a certain time

    Like that your user can use it for a certain period and will make it as a local admin account.

    Note that if a user is member of the local admin group then he will be able to add other accounts to this group or create local users and make them local admins.

    For scripting questions: http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

    For group policy questions: http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Edited by Mr XMVP Tuesday, November 01, 2011 8:19 PM
    Tuesday, November 01, 2011 7:39 PM
  • Hi,

    Sometimes, I need to give users temporary administrator rights on their laptops. How can I do this through AD, given the fact that they are not 100% directly connected to the domain LAN??
    There is no any expiration trick. you could use GPO or scripts but its not easy solution beacuse everytime you need to do a link/unlink or script execution.

    Can you please elaborate more, why they are restricted on their laptop? which application or why they want admin rights sometime?

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Tuesday, November 01, 2011 7:47 PM
  • Hello,

    Sometimes, I need to give users temporary administrator rights on their laptops. How can I do this through AD, given the fact that they are not 100% directly connected to the domain LAN??

    there is no way other than scripting that can give temporary administrative rights for users on their desktop.

    You can proceed like that if this can help you:

    • Create an account in AD and make it member of local admin groups using Restricted groups in group policies
    • Define the account as an account that expires after a certain user

    Like that your user can use it for a certain period and will make it as a local admin account.

    Note that if a user is member of the local admin group then he will be able to add other accounts to this group or create local users and make them local admins.

    For scripting questions: http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

    For group policy questions: http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

     


    "Define the account as an account that expires after a certain user "

    Can you please explain this part better???

     

    Thank you.

    Tuesday, November 01, 2011 7:57 PM
  • Hi,

    Sometimes, I need to give users temporary administrator rights on their laptops. How can I do this through AD, given the fact that they are not 100% directly connected to the domain LAN??
    There is no any expiration trick. you could use GPO or scripts but its not easy solution beacuse everytime you need to do a link/unlink or script execution.

    Can you please elaborate more, why they are restricted on their laptop? which application or why they want admin rights sometime?

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.


    • Enterprise managers requested they don't have admin rights on the corporate laptops.
    • Some applications indeed require admin rights to be installed (like setting up an Air Card)

    Thanks.

    Tuesday, November 01, 2011 7:57 PM
  • "Define the account as an account that expires after a certain user "


    Can you please explain this part better???

     

    Thank you.

    I mean after a certain time. Sorry for the error. Check AD users properties and you will see that you can configure accounts to expire after a certain time.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Tuesday, November 01, 2011 8:20 PM

  • "Define the account as an account that expires after a certain user "


    Can you please explain this part better???

     

    Thank you.

    I mean after a certain time. Sorry for the error. Check AD users properties and you will see that you can configure accounts to expire after a certain time.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

     

     

    That's great, but ... what happens in the following situation:

    If my user setup the tunnel (i.e., he gets access to the domain network), works with the "temporary admin account" (i.e. the credentials gets cached) and then disconnect the tunnel. During the time the tunnel is down, he would still have admin rights even if, during that time, the admin account expires according to the configuration in AD.

    ??

     

    Thanks for your time.

    Tuesday, November 01, 2011 8:29 PM
  • Hi,

    The account will expires at next logon. And Account expires can be set end of which day, not hours, minutes and so on.

    After the account expires, you should create another account to users.

    >Some applications indeed require admin rights to be installed

    To achieve this we could assign softwares to client computers.

    For details, please refer to the link as below:

    How to use Group Policy to remotely install software in Windows Server 2003 and in Windows Server 2008

    http://support.microsoft.com/kb/816102

    Hope this helps.

    Best Regards,

    Yan Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, November 02, 2011 9:11 AM
    Moderator
  • Once an account expires the user can no longer authenticate.  I don't see this as a solution.

    Don't give the users admin control of their desktops and use a tool such as SCCM to push updates or make them bring them in.  All that you are going to do is make more work for yourself doing this, plus the users are probably going to get infected since most users can't control themselves when it comes to installing free stuff such as games or they browse to the wrong web site and get infected.  They will just have to be patient when it comes to installation, etc...

    Another option is also available to you, don't give them admin access but create a virtual desktop for them.  This will require they connect to the local machine and if they need something upgraded you can do it all from the data center.  Their desktops will have the base install and as things change they can get those services from you under control.

    We are moving towards a centralized, controlled, vdi infrastructure.  Management won't support additional admin folks so this is what they get and we just tell folks you will have to wait.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, November 02, 2011 12:07 PM
    Moderator
  • I'm wondering if I could push some script in the user workstation through a GPO and make it to run as administrator, without hard coding the admin credentials in the script. This way I could use the local admin account to put the user in the Local Admin group, then, with an scheduled task remove the user from that group at a given date. Could that be feasible? That would work even after the user has left the domain network and is running "offline" (form a domain perspective).

    Right now we cannot afford a centralized solution. Besides, it wouldn't meet our needs.

    Thanks.

    Wednesday, November 02, 2011 2:42 PM
  • Hi,

    It seems like that script is the best way to do that. If you have any issue running script, please go to The Official Scripting Guys Forum for assistance:

    http://social.technet.microsoft.com/Forums/en/ITCG/threads

    Best Regards,

    Yan Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, November 03, 2011 8:39 AM
    Moderator