none
Grant Administrative Access to an particular user for a particular time RRS feed

  • Question

  • Hi Guys,

    I need your help in order to get my script complete.

    I'm using a power shell script to provide administrative access for the user on particular system but, as per our guideline we need to remove the access after 24 hours and for which i run the script again using "Delete" option in power shell which will be a manual one again.

    And the problem here is i frequently forget to remove the access once 24 hours is done.

    I want your help in order to write a script which includes time span for the access and ones the time span is done it should remove the access for the user on the asset automatically.

    These are the scripts i'm using to add and delete:

    Invoke-Command -Computername "Machine Name" -ScriptBlock {"User ID" | % { & net localgroup "Administrators" $_ /add }} -Credential ***\*******

    Invoke-Command -Computername "Machine Name" -ScriptBlock {"User ID" | % { & net localgroup "Administrators" $_ /delete }} -Credential ***\*******

    Please help me out in getting the script more comfortable and easier.

    Thanks In Advance.


    Wednesday, July 17, 2019 3:04 PM

Answers

  • Yes, 

    You can write and run a script on the Computer which does following in sequence:

    1. Grant Admin Access

    2. Schedule a task to be run after 24 hours on the same computer to remove access.

            - In the task that will be run after 24 hours you can remove the users admin rights, also you need to delete the task as well so that it will no longer present in the task scheduler.

    You can use PSScheduledJob or ScheduleTasks modules present in powrshell to do the same. If you are not aware about the OS running on the computer that you are performing the task or if it's not the same it would be best to use schtasks.exe to schedule a task as ScheduleTasks module is present on mahicnes having windows 8 or later and PSScheduleJob on 7 and less.

     You need to delete the task because once it's executed it won't be required, you can either delete the same and create a new one every time or just modify the existing one.



    Wednesday, July 17, 2019 3:40 PM
  • Hello,

    I would do it this way in the script.

    1> Add the access.

    2> write a ps1 file named A which includes:

    • Remove the access
    • Delete a scheduled task named B
       


    3> Create a scheduled task name B which run A.ps1 after 24 hours.

    For example:

    Invoke-Command -Computername "Machine Name" -ScriptBlock {"User ID" | % { & net localgroup "Administrators" $_ /add }} -Credential ***\*******
    
    del C:\A.ps1
    "Invoke-Command -Computername 'Machine Name' -ScriptBlock {'User ID' | % { & net localgroup 'Administrators' $_ /delete }} -Credential ***\*******'" | Out-File C:\A.ps1 -Append
    "schtasks /delete /tn B /f" | Out-File C:\A.ps1 -Append
    
    schtasks /create /tn B /ru system /tr "powershell.exe -file c:\A.ps1" /sc daily
     

    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray  


    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 18, 2019 11:25 AM

All replies

  • You need to use task scheduler, you need to schedule the command to be run after 24 hours. You should not use the same script to run for 24 hours and to wait just to delete the permission.

    Schtasks.exe might help you. Inside the script that you have scheduled, you might need to delete the scheduled task as well.

    https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks

    Wednesday, July 17, 2019 3:08 PM
  • Hi DumbleD0re,

    So you mean i need to add the task scheduler in the script which i'm using to delete the rights for the user.

    And as the task scheduler will run after every 24 hours in need to deleted the task scheduler after 24 hours which makes it run only once.

    Right?

    Wednesday, July 17, 2019 3:24 PM
  • Yes, 

    You can write and run a script on the Computer which does following in sequence:

    1. Grant Admin Access

    2. Schedule a task to be run after 24 hours on the same computer to remove access.

            - In the task that will be run after 24 hours you can remove the users admin rights, also you need to delete the task as well so that it will no longer present in the task scheduler.

    You can use PSScheduledJob or ScheduleTasks modules present in powrshell to do the same. If you are not aware about the OS running on the computer that you are performing the task or if it's not the same it would be best to use schtasks.exe to schedule a task as ScheduleTasks module is present on mahicnes having windows 8 or later and PSScheduleJob on 7 and less.

     You need to delete the task because once it's executed it won't be required, you can either delete the same and create a new one every time or just modify the existing one.



    Wednesday, July 17, 2019 3:40 PM
  • Thank you so much :)

    I will start writing the script and i will keep posted if i have any doubts regarding the script.

    Wednesday, July 17, 2019 4:38 PM
  • I can't move this thread, but it really has nothing to do with System Center Configuration Manager at all and so is best continued in another forum.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, July 17, 2019 5:11 PM
    Moderator
  • Hello,

    I would do it this way in the script.

    1> Add the access.

    2> write a ps1 file named A which includes:

    • Remove the access
    • Delete a scheduled task named B
       


    3> Create a scheduled task name B which run A.ps1 after 24 hours.

    For example:

    Invoke-Command -Computername "Machine Name" -ScriptBlock {"User ID" | % { & net localgroup "Administrators" $_ /add }} -Credential ***\*******
    
    del C:\A.ps1
    "Invoke-Command -Computername 'Machine Name' -ScriptBlock {'User ID' | % { & net localgroup 'Administrators' $_ /delete }} -Credential ***\*******'" | Out-File C:\A.ps1 -Append
    "schtasks /delete /tn B /f" | Out-File C:\A.ps1 -Append
    
    schtasks /create /tn B /ru system /tr "powershell.exe -file c:\A.ps1" /sc daily
     

    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray  


    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 18, 2019 11:25 AM
  • Until the user, who is now an admin, discovers that you are using a scheduled task to remove their admin permissions ad deletes the task. Or worse, malicious code deletes the task and runs havoc using the users credentials.

    Once again though, none of this has anything to do with the subject of this forum and is best discussed in a forum specific to Windows Administration.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, July 18, 2019 2:18 PM
    Moderator
  • HI Jia,

    Thank you so much this will really help me. 

    Thanks you for your effort :)


    Thursday, August 8, 2019 2:32 PM