locked
script ( vb/power shell/bat ) which will grant admin privilege to the local user for 24 hours RRS feed

  • Question

  • Hi Friends

    i believe this topic was already discussed , however i could not find a solution ..  please help

    i need a script ( vb/power shell/bat ) etc which will run on local user with admin privilege ( will package and make it available in application store / software center ( sccm 2012 ) , it will run with admin rights on local computer ) and grant admin privilege to the local user for 24 hours

    My previous org had same, however the source is a .exe file, so not very sure if they have converted script to exe for privacy

    Thank you

    Tanoj


    OSLM ENGINEER - SCCM 2007 & 2012

    Monday, December 1, 2014 4:44 AM

Answers

All replies

  • Sorry but we cannot do that for obvious reasons.  Ask your syste Admin to grant you admin when you need ti.  Perhaps they can be of assistance.

    What you are asking for actually violates almost all securty principals I know of concerning admin access.


    ¯\_(ツ)_/¯

    Monday, December 1, 2014 5:25 AM
  • Hi Tanoj,

    you can manage local user permissions using the Local User Management Module. Timing permissions can be implemented using Tasks or whatever automation scheduling system you use.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Monday, December 1, 2014 2:41 PM
  • Hi Fred,

    Thank you for the reply and the suggestion,

    could you please help me with the steps, like do we need to integrate this script into sccm ?

    or is this an independent script which will run on local computer/server ?

    It will be really helpful if you could help me with the steps

    Regards,

    Tanoj


    OSLM ENGINEER - SCCM 2007 & 2012

    Tuesday, December 2, 2014 4:12 AM
  • It is my belief that people who want to do these dangerous things should be forced to learn the technical reality f this method.  If you cannot understand how to do it then yuo should not be doing it.  We don't put guns in the hands of babies. (sue me!)

    ¯\_(ツ)_/¯

    Tuesday, December 2, 2014 4:18 AM
  • Giving admin access manually to the local user will take less time than taking to write script and to implement.

    And as per my understanding this would be for few users.

    Regards -

    Jupiter

    • Proposed as answer by jrv Tuesday, December 2, 2014 4:32 AM
    • Unproposed as answer by Bill_Stewart Tuesday, December 9, 2014 4:14 PM
    Tuesday, December 2, 2014 4:27 AM
  • It is my belief that people who want to do these dangerous things should be forced to learn the technical reality f this method.  If you cannot understand how to do it then yuo should not be doing it.  We don't put guns in the hands of babies. (sue me!)


    Harsh words, but not entirely unjustified and mostly I agree with you on that (which might be hypocritical of me, I'm confident I messed with quite a few things I should have first studied up on).

    That said, he's talking about granting and revoking local Admin privileges. I'm sure he can do that quite handily himself in manual operation, so all this would do is speed up a process, not grant new abilities. Let's hope he knows the consequences of granting users local admin, but that'd be a good thing to know when granting them manually as well.

    Given usual corporate pressures, if he can't setup the process, he'll most likely be forced to grant the users permanent local admin ...

     

    That said, I won't go into extreme powershell basics here, Tanoj. If you can't do that yet, you'll need to learn it anyway. You can build an executable file (using for example Powershell Studio from Sapien) that runs a script.

    Basically you need to perform two operations:

    • Add user to local admins
    • Ensure the user is removed from local admins 24h later

    The first you can integrate directly into the initial script packaged into an executable using the code from the link I posted earlier.

    The second can be done by a scheduled task. You can create a task using Powershell, so you can have the same executable that performs step 1 to set up the task for step 2.

     

    Whether all that can be integrated into SCCM I do not know (never used it).

    Cheers and good luck,
    Fred


    There's no place like 127.0.0.1

    Tuesday, December 2, 2014 11:25 AM
  • The bigger issue is distributing a scritp with this capability. Once the script escapes then anybody has admin access at any time.

    If you want t system that manages this then it has to be much more than a script.  It needs to be a validated process that has reproting and oversite process components.

    We used to do a similar thing when Chase insisted that their emplyees should ba llowed to do local installs.  The HelpDesk would receve the request and trigger the injection of the user into the local admin group and timestamp the description.  Every 5 minnutes a scan od AD would find all enabled acount.   If they were then check to see if anhour had elapsed.  If so the user would be removed.  Reports were generated continuously.

    Of course this idea lasted for about a month until corporate security got wind and shut it down.  Now the users have to wait as long as three days to get service.

    DSC will probably be helpful in fixing this issue.


    ¯\_(ツ)_/¯

    Tuesday, December 2, 2014 2:16 PM
  • Hi Tanoj,

    Why do your users need local admin rights in the first place? If they need to install software, you can always just create 'available' applications within ConfigMgr and advertise them to user collections.

    IMHO, ConfigMgr removes almost all need for end users to have local admin rights.


    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    • Marked as answer by Bill_Stewart Tuesday, December 9, 2014 4:15 PM
    Tuesday, December 2, 2014 2:27 PM
  • Just out of curiosity, what is happening in this 24 hour period that's making users who previously weren't trusted with local admin authority suddenly become trustworty?

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Tuesday, December 2, 2014 3:30 PM
  • I think Mike is asking precisely the right question. WHY does this need to be done? Is so users can install something? Application compatibility? I think this isn't a scripting question but probably a 1) security management, 2) application management, or 3) application compatibility question.

    -- Bill Stewart [Bill_Stewart]

    Tuesday, December 2, 2014 3:51 PM
  • It's often cheaper to give a user admin rights to install something versus assigning a technician to perform the work. Users often will install printers on their own as well.

    As much as I prefer not giving users admin in an environment, I'm definitely seeing more self service being encouraged. Security groups are also a bit more forgiving to 1hr/8hr/24hr add/removes of administrative rights, usually controlled by scheduled tasks to help with timing. 

    Tuesday, December 2, 2014 4:31 PM
  • Hi Friends

    i believe this topic was already discussed , however i could not find a solution ..  please help

    i need a script ( vb/power shell/bat ) etc which will run on local user with admin privilege ( will package and make it available in application store / software center ( sccm 2012 ) , it will run with admin rights on local computer ) and grant admin privilege to the local user for 24 hours

    My previous org had same, however the source is a .exe file, so not very sure if they have converted script to exe for privacy

    Thank you

    Tanoj


    OSLM ENGINEER - SCCM 2007 & 2012

    The user clearly states SCCM.  The user does not require admin rights.  As Mike has pointed out SCCM can do almost anything without user intervention.  The issue here is like in so many other cses.  No trining in SCCM because companies are to cheap to train their people.  Thisis what happens in those cases.

    ¯\_(ツ)_/¯

    Tuesday, December 2, 2014 4:37 PM
  • I forgot.  I really only wanted to post that ther is really no good answer to the original question.  THe solution depends on why it is needed as Bill and others have already pointed out.


    ¯\_(ツ)_/¯

    Tuesday, December 2, 2014 4:38 PM
  • It's often cheaper to give a user admin rights to install something versus assigning a technician to perform the work. Users often will install printers on their own as well.

    As much as I prefer not giving users admin in an environment, I'm definitely seeing more self service being encouraged. Security groups are also a bit more forgiving to 1hr/8hr/24hr add/removes of administrative rights, usually controlled by scheduled tasks to help with timing. 

    That could easily be the most expensive money you ever saved.

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Tuesday, December 2, 2014 4:41 PM
  • Depends on if you're asking an engineer or project manager :)
    Tuesday, December 2, 2014 5:29 PM
  • Depends on if you're asking an engineer or project manager :)

    Actually, I'd ask an accountant. Both PMs and Engineers tend' to have a stake in it :)

    And if it's about allowing users to un/-install things, I'd far rather build an un-/installation package the users have access to, rather than allowing them to manually perform the steps. A lot simpler to enforce compliance that way, and saves a lot Admin workhours down the road, compared to allowing users to do this manually.


    There's no place like 127.0.0.1

    Thursday, December 4, 2014 7:54 AM
  • Hi Friends,

    The Application should need to ask Approval every-time a user wants to install it through software catalog, how to achieve this task ?

    Regards

    Tanoj


    OSLM ENGINEER - SCCM 2007 & 2012

    Friday, December 5, 2014 5:04 AM
  • You need to ask SCCM questions in an SCCM forum.


    -- Bill Stewart [Bill_Stewart]

    Friday, December 5, 2014 3:22 PM
  • I Apologize

    Regards

    Tanoj


    OSLM ENGINEER - SCCM 2007 & 2012

    Tuesday, December 9, 2014 3:51 AM
  • You don't need to apologize. CIt is just more effective for you to post in a forum related to the product.

    ¯\_(ツ)_/¯

    Tuesday, December 9, 2014 4:01 AM
  • Hi Tanoj !

    Do you found a solution for your trouble ?

    Best Regards,

    Anderson Cardoso

    Wednesday, December 10, 2014 12:11 PM
  • Hi Tanoj !

    Do you found a solution for your trouble ?

    Best Regards,

    Anderson Cardoso

    This issue needs to be addressed in the ConfigMgr forums, not here.


    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    Wednesday, December 10, 2014 1:52 PM