Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Granting temporary administrator access to limited users with no network connection

Posted on 2006-11-21
8
Medium Priority
?
2,783 Views
Last Modified: 2013-12-04
We have users that travel all over the world that are set up as limited user accounts on their laptops.  Occasionally they go somewhere where they need to install a new type of printer, or a USB card reader, or some other random hardware.  Since they are limited users they can't do it.

If they have a network connection it's not a problem because someone from the helpdesk can log on to their computer and install the software for them, or worst case, make them a local admin for the time required to install the device.

The problem is when there's no network connection, we can't give out the local admin password because it's the same across all our laptops.  Is there some kind of utility that could be installed by an administrator and then used by limited users in order to elevate them to admin privileges?  A company I used to work for had a similar problem with their internal software package and it had an override option with a password that would only work for one day.
0
Comment
Question by:FWeston
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 2000 total points
ID: 17989116
think about what you are asking.

>>Is there some kind of utility that could be installed by an administrator and then used by limited users in order to elevate them to admin privileges?
such a utility would enable a limited user to grant THEMSELEVES local admin rights at any time,,, which in effect would mean that that user is a local admin.  So to answer your question, no, no such utility exists b/c it would be useless.  It would be useless b/c if has the same end result of giving the limited user local admin rights.

a work around would be to create a local admin account on all your laptops and give them different passwords.  then whenever a limited user needed to be an admin, they could contact your helpdesk and be given the password.  As soon as this machine is back on the network, this password would be changed by an admin.

0
 
LVL 3

Author Comment

by:FWeston
ID: 17989152
And the rest of the question says: "with a password that would only work for one day".  The premise is simple enough, create a local account with admin privileges and have some sort of program running as a service that changes the password for that account every XX hours.  Base it off an algorithm so you know what the password will be based on any given date.  The idea is simple, I just don't know how to do it.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17989281
>>And the rest of the question says:
and the first part of that sentence says that was for an internal software, not the OS.   Apples and Oranges.  If a user is a local admin of the OS then they have FULL controll over the PC/Laptop.  If they have these rights for any period time they might as well have them for ever since they could (with the rights they can grant THEMSELVES) remove/install ANYTHING including the very software that resets their 'temporary' admin password.

>>The idea is simple
it is also flawed and opens a huge security hole.

If you dont want your users to have local admin rights then dont give them admin rights ever.  the whole idea of giving them the ability to give themsleves admin rights (for any period of time) just doesn't make sense.

do you realize that if they are a local admin for even 5 minutes all they have to do is create another local admin account and just use that at any time they want?
i could shoot security holes in giving a user the right to do this all day.  I'm sorry, but it just isn't secure.

you dont have to like my answer, but it is the right one.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Author Comment

by:FWeston
ID: 17989860
Yes, I realize the implications although I don't think any of our users are necessarily adept enough to pick up on that.  The problem is when users are out on site and they need to install some strange piece of hardware like a printer or digital camera, they can't do it without admin rights.  I can't think of any other solution that would allow them to install the hardware without giving them a local admin password.  At least this solution is somewhat more secure than just giving them the local password.  If you have any other suggestions I would be happy to hear them.
0
 
LVL 88

Expert Comment

by:rindi
ID: 17993847
Tell them that if they need to use such different hardware they should get their own notebook, or then let you install that beforehand if company policy allows for such hardware to be used at all!
0
 
LVL 38

Expert Comment

by:younghv
ID: 17994738
Hi FWeston,
We have been dealing with the same kinds of requests for years.
Many of our users are are travelling almost constantly and they 'must have' admin rights.
The many and varied reasons for the 'must have' make for some interesting reading.
Our answer is a consistent 'no, you don't'.

The most common phony problem is that they can't print somewhere.
We fix this by having (typically) 10-12 different printers loaded on each notebook - and - if none of them work in a given situation, they can either email the documents they need to print to someone local, or copy them to USB drive and have someone else print for them.

If they're running XP with SP2, I haven't seen any USB card readers that won't work with the native XP drivers.

Users always want admin rights and admins always need to resist the requests. Even if it were true that your users aren't 'adept' enough, how about their buddy sitting next to them 10,000 miles away from your home office?

Vic
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17995237
This can be done, but there are indeed risks as outlined above. I have a tutorial here that may be of use:  http://www.xinn.org/RunasVBS.html
Here are probably some better tools that could suit your needs: http://nonadmin.editme.com/UsefulTools
With my VBScript you can specify the app to run with admin priv's, and the script is encoded (not encrypted btw...) in a .vbe rather than plain-text .vbs I'm sure some of the tools I just linked to can be used similarly.
-rich
0
 
LVL 38

Expert Comment

by:younghv
ID: 18510735
Fweston,
Any new info on this one?
Vic
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question