none
Temporarily Elevate User Account Priveledges RRS feed

  • Question

  • Hi, I'm in IT helpdesk and a problem I'm yet to find a workaround is as follows: My users log onto to a domain and are all members of Power User group, all running Windows Xp SP3. As thus, they cannot change, say their network, IP, settings when at client's premises or other to send out email etc. Is there a way you can give admin priveledges for say a minute, without revealing your elevated helpdesk password when they're away from office?
    Tuesday, March 23, 2010 6:13 AM

Answers

  • If I understand you correctly  - because your users are off-network at the time they need to elevate their priv's you have no control over the local admin account.

    For example you'd like to be able to change it temporarily, allow them to do what they need to, and then reset it to something only you know (without them being able to maintain elevation by creating new local accounts etc!)

    As Kevin says this is a common problem, but I really wouldn't advocate giving the users local admin permissions on XP - without the UAC features of Vista / 7, it's just too bigger risk if they can connect to any network they like.

    From what you've said I'm guessing that your mobile devices are configured with static IP's, because if DHCP they would automatically hop to the new network as required.

    If they are static IP's I would suggest a solution would be to engineer a custom executable that would reconfigure the network settings as required (ie static details or dhcp). I would embed admin credentials within this program, and also embed an additional one time password (that would be supplied by the helpdesk) in order for it to execute. The one time password could be based on the current time & machine name for example.

    If however you're happy for your users to reconfigure their network setting on demand, then forget the one time password aspect - just provide an executable that presents them with network reconfiguration options (with admin credentials embedded), and allow them to run it on demand. Far less risky that giving them full admin over the machine!

    Cheers

    • Proposed as answer by Douks Friday, April 2, 2010 8:06 PM
    • Marked as answer by Kevin Remde Sunday, April 11, 2010 1:09 PM
    Friday, April 2, 2010 4:18 PM
  • I don't see a reason clients should need to adjust network settings.  These should all be configured by DHCP.  Hotels, homes, and businesses just about all use DHCP to hand out IP address assignments.  DHCP can be configured on almost all small business, home, and corporate routers and firewalls.  On another note, your users really shouldn't be running as Power Users.  There is not that much difference between a Power User and Administrator.  You should heavily consider demoting users from Power Users to users.  If applications are incompatible, you can find the registry entries and directories to which they require access and configure this in Group Policy.  You can allow users to make changes to settings by using the following command: runas /u:domain\user command.

    Example: runas /u:Contoso\bgates "C:\Program Files\Internet Explorer\iexplore.exe"

    Netsh can be used to configure IP address settings fromt he command line.  For this you could do the following:

    • runas /u:Contoso\bgates "C:\Program Files\Internet Explorer\cmd.exe"  (localhost\administrator may be used for local accounts where localhost is the name of the computer name)
    • A new Command Prompt windows opens with local administrator rights
    • Use NetSH to configure interfaces -
      netsh interface ip set address|dns|wins "Interface Name" static|dhcp <ip address> <subnet mask> <default Gateway> <metric>
    •      (Static-1) netsh interface ip set address "Local Area Connection" static 192.168.0.2 255.255.255.0 192.168.0.1 1
    •      (Static-2) netsh interface ip set dns "Local Area Connection" static 192.168.0.254
    •      (DHCP-1) netsh interface ip set address "Local Area Connection" dhcp
    •      (DHCP-2) netsh interface ip set dns "Local Area Connection" dhcp
    • Close Command Prompt

     

    There is no way built-in to keep them from knowing the administrator password.  You would have to use a utility that runs as a service for this, and this is a limitation of XP.  This is another great reason to move to Windows 7.  All "hidden" passwords are only obfuscated, which is reversible.
    • Proposed as answer by Rabid Squirrel Friday, April 9, 2010 7:44 PM
    • Edited by Rabid Squirrel Friday, April 9, 2010 7:45 PM Added information about hiding passwords.
    • Marked as answer by Kevin Remde Sunday, April 11, 2010 1:11 PM
    Friday, April 9, 2010 7:44 PM

All replies

  • I don't believe so, no.  The ability to authenticate temporarily as another user account without having to logoff/login was introduced in Windows Vista and is also in Windows 7. 

    Yours is one of the reasons why so many people just give up and allow their users to run as local administrator on their Windows XP (and earlier) PCs.

     


    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    Tuesday, March 30, 2010 1:22 PM
  • If I understand you correctly  - because your users are off-network at the time they need to elevate their priv's you have no control over the local admin account.

    For example you'd like to be able to change it temporarily, allow them to do what they need to, and then reset it to something only you know (without them being able to maintain elevation by creating new local accounts etc!)

    As Kevin says this is a common problem, but I really wouldn't advocate giving the users local admin permissions on XP - without the UAC features of Vista / 7, it's just too bigger risk if they can connect to any network they like.

    From what you've said I'm guessing that your mobile devices are configured with static IP's, because if DHCP they would automatically hop to the new network as required.

    If they are static IP's I would suggest a solution would be to engineer a custom executable that would reconfigure the network settings as required (ie static details or dhcp). I would embed admin credentials within this program, and also embed an additional one time password (that would be supplied by the helpdesk) in order for it to execute. The one time password could be based on the current time & machine name for example.

    If however you're happy for your users to reconfigure their network setting on demand, then forget the one time password aspect - just provide an executable that presents them with network reconfiguration options (with admin credentials embedded), and allow them to run it on demand. Far less risky that giving them full admin over the machine!

    Cheers

    • Proposed as answer by Douks Friday, April 2, 2010 8:06 PM
    • Marked as answer by Kevin Remde Sunday, April 11, 2010 1:09 PM
    Friday, April 2, 2010 4:18 PM
  • I don't see a reason clients should need to adjust network settings.  These should all be configured by DHCP.  Hotels, homes, and businesses just about all use DHCP to hand out IP address assignments.  DHCP can be configured on almost all small business, home, and corporate routers and firewalls.  On another note, your users really shouldn't be running as Power Users.  There is not that much difference between a Power User and Administrator.  You should heavily consider demoting users from Power Users to users.  If applications are incompatible, you can find the registry entries and directories to which they require access and configure this in Group Policy.  You can allow users to make changes to settings by using the following command: runas /u:domain\user command.

    Example: runas /u:Contoso\bgates "C:\Program Files\Internet Explorer\iexplore.exe"

    Netsh can be used to configure IP address settings fromt he command line.  For this you could do the following:

    • runas /u:Contoso\bgates "C:\Program Files\Internet Explorer\cmd.exe"  (localhost\administrator may be used for local accounts where localhost is the name of the computer name)
    • A new Command Prompt windows opens with local administrator rights
    • Use NetSH to configure interfaces -
      netsh interface ip set address|dns|wins "Interface Name" static|dhcp <ip address> <subnet mask> <default Gateway> <metric>
    •      (Static-1) netsh interface ip set address "Local Area Connection" static 192.168.0.2 255.255.255.0 192.168.0.1 1
    •      (Static-2) netsh interface ip set dns "Local Area Connection" static 192.168.0.254
    •      (DHCP-1) netsh interface ip set address "Local Area Connection" dhcp
    •      (DHCP-2) netsh interface ip set dns "Local Area Connection" dhcp
    • Close Command Prompt

     

    There is no way built-in to keep them from knowing the administrator password.  You would have to use a utility that runs as a service for this, and this is a limitation of XP.  This is another great reason to move to Windows 7.  All "hidden" passwords are only obfuscated, which is reversible.
    • Proposed as answer by Rabid Squirrel Friday, April 9, 2010 7:44 PM
    • Edited by Rabid Squirrel Friday, April 9, 2010 7:45 PM Added information about hiding passwords.
    • Marked as answer by Kevin Remde Sunday, April 11, 2010 1:11 PM
    Friday, April 9, 2010 7:44 PM
  • Looking back all the post.. is interesting to see this forum have grow

    Guowen Su
    Cisco Certified Network Associate
    Cisco Certified Internetwork professional - MPLS
    Certified Information Systems Security Professional
    Microsoft Partner Network 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator:Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Certified Ethical Hacker
    Computer Hacking Forensics Investigator
    Certified Sonicwall Security Administrator
    Microsoft Geeks

    Tuesday, June 19, 2012 2:53 AM