Solved

Granting temporary administrator access to limited users with no network connection

Posted on 2006-11-21
8
2,779 Views
Last Modified: 2013-12-04
We have users that travel all over the world that are set up as limited user accounts on their laptops.  Occasionally they go somewhere where they need to install a new type of printer, or a USB card reader, or some other random hardware.  Since they are limited users they can't do it.

If they have a network connection it's not a problem because someone from the helpdesk can log on to their computer and install the software for them, or worst case, make them a local admin for the time required to install the device.

The problem is when there's no network connection, we can't give out the local admin password because it's the same across all our laptops.  Is there some kind of utility that could be installed by an administrator and then used by limited users in order to elevate them to admin privileges?  A company I used to work for had a similar problem with their internal software package and it had an override option with a password that would only work for one day.
0
Comment
Question by:FWeston
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 500 total points
ID: 17989116
think about what you are asking.

>>Is there some kind of utility that could be installed by an administrator and then used by limited users in order to elevate them to admin privileges?
such a utility would enable a limited user to grant THEMSELEVES local admin rights at any time,,, which in effect would mean that that user is a local admin.  So to answer your question, no, no such utility exists b/c it would be useless.  It would be useless b/c if has the same end result of giving the limited user local admin rights.

a work around would be to create a local admin account on all your laptops and give them different passwords.  then whenever a limited user needed to be an admin, they could contact your helpdesk and be given the password.  As soon as this machine is back on the network, this password would be changed by an admin.

0
 
LVL 3

Author Comment

by:FWeston
ID: 17989152
And the rest of the question says: "with a password that would only work for one day".  The premise is simple enough, create a local account with admin privileges and have some sort of program running as a service that changes the password for that account every XX hours.  Base it off an algorithm so you know what the password will be based on any given date.  The idea is simple, I just don't know how to do it.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17989281
>>And the rest of the question says:
and the first part of that sentence says that was for an internal software, not the OS.   Apples and Oranges.  If a user is a local admin of the OS then they have FULL controll over the PC/Laptop.  If they have these rights for any period time they might as well have them for ever since they could (with the rights they can grant THEMSELVES) remove/install ANYTHING including the very software that resets their 'temporary' admin password.

>>The idea is simple
it is also flawed and opens a huge security hole.

If you dont want your users to have local admin rights then dont give them admin rights ever.  the whole idea of giving them the ability to give themsleves admin rights (for any period of time) just doesn't make sense.

do you realize that if they are a local admin for even 5 minutes all they have to do is create another local admin account and just use that at any time they want?
i could shoot security holes in giving a user the right to do this all day.  I'm sorry, but it just isn't secure.

you dont have to like my answer, but it is the right one.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:FWeston
ID: 17989860
Yes, I realize the implications although I don't think any of our users are necessarily adept enough to pick up on that.  The problem is when users are out on site and they need to install some strange piece of hardware like a printer or digital camera, they can't do it without admin rights.  I can't think of any other solution that would allow them to install the hardware without giving them a local admin password.  At least this solution is somewhat more secure than just giving them the local password.  If you have any other suggestions I would be happy to hear them.
0
 
LVL 88

Expert Comment

by:rindi
ID: 17993847
Tell them that if they need to use such different hardware they should get their own notebook, or then let you install that beforehand if company policy allows for such hardware to be used at all!
0
 
LVL 38

Expert Comment

by:younghv
ID: 17994738
Hi FWeston,
We have been dealing with the same kinds of requests for years.
Many of our users are are travelling almost constantly and they 'must have' admin rights.
The many and varied reasons for the 'must have' make for some interesting reading.
Our answer is a consistent 'no, you don't'.

The most common phony problem is that they can't print somewhere.
We fix this by having (typically) 10-12 different printers loaded on each notebook - and - if none of them work in a given situation, they can either email the documents they need to print to someone local, or copy them to USB drive and have someone else print for them.

If they're running XP with SP2, I haven't seen any USB card readers that won't work with the native XP drivers.

Users always want admin rights and admins always need to resist the requests. Even if it were true that your users aren't 'adept' enough, how about their buddy sitting next to them 10,000 miles away from your home office?

Vic
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17995237
This can be done, but there are indeed risks as outlined above. I have a tutorial here that may be of use:  http://www.xinn.org/RunasVBS.html
Here are probably some better tools that could suit your needs: http://nonadmin.editme.com/UsefulTools
With my VBScript you can specify the app to run with admin priv's, and the script is encoded (not encrypted btw...) in a .vbe rather than plain-text .vbs I'm sure some of the tools I just linked to can be used similarly.
-rich
0
 
LVL 38

Expert Comment

by:younghv
ID: 18510735
Fweston,
Any new info on this one?
Vic
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Nessus Scan 1 73
Using cipher to decrypt files. 4 87
Risks of using Camtasia Studio 9 134
Cannot take ownership of a folder 8 76
Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question