Grant temporary local admin rights (ET)

I'm looking for a way to grant users in our domain temporary local admin rights so they can install software or make a change that's only allowed by a local admin.
I know through AD/group policy i can give them local admin rights but that would require having them log out and back in. Then i would have to manually remove their rights.
Ideally what i would like is a tool on my AD server that i can say 'user xyz has admin rights for the next 30 minutes' and it would apply without requiring them to log out (or if they had to log out and back in i can deal with that). Just dont want to add them to security group then remember to remove them later on, etc.
Needs to be something we can do quickly so if a user calls in and says 'i need to install a software asap' we can give them access right away.
Any suggestions on this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
From forum, the decision was made in Windows Vista to remove Power User Group elevated permissions in order to promote more secure deployments of the operating system. If you want to allow someone to perform the configuration tasks (e.g. install applications, printers, drivers and amend the network configuration) but not make them an Administrator, then it is tough as those need admin rights. You can explore having the user a member of the Network Configuration Operators group but they cannot fulfil those as shared - targeted tuning may be best if you need granularity and security.

Good to note the reason why we need to create standard user account is to protect computer by preventing users from making changes that effect everyone who uses the computer. Some use case to consider include but still if you intent engineers (and in your case - all users) access to install Applications they require on an Ad Hoc Basis, without having to go via the IT Desk, that can be tough and need to balance out... Pardon for going round but the emphasis is to balance use and security:

- Installing a Package with Elevated Privileges for a Non-Admin
- Allow non-admin to install software/printer

Least privilege principle is the basis and Applocker is worth exploring ....

Applocker which is for appl whitelisting and it  manage policies for Packaged apps and Packaged app installers. AppLocker rules can be applied to specific users or groups. However, a rule can only apply to one user or one group. You can also create AppLocker rules to apply to all users (the Everyone group) and then apply that GPO to a specific computer group. Hence using principle of least privilege scheme, create role based group and assign the rule to the user within that group.

For example, you could have one rule that allows the Finance group to run winword.exe, and you could also have a second rule that allows the HR group to run winword.exe.
tabushAuthor Commented:
I dont know that much about AppLocker however i've looked at it in the past. I see you can create an allow rule for a specific path. Can you tell me if this will work:

If i create an allow rule (Executable rule and Windows installer rule) and add the path C:\temp\*
Does that mean i can install any application if the installer is sitting in the C:\temp\ folder?

Not sure if thats how this works...
btanExec ConsultantCommented:

FAQ can come handy - Path rule conditions are based on the file or folder installation path of specific applications. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications.

Also see Applocker rule

Because a path condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can then copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.

Also AppLocker allows you to generate default rules for each of the rule types.
Executable default rule types:
Allow members of the local Administrators group to run all applications.
Allow members of the Everyone group to run applications that are located in the Windows folder.
Allow members of the Everyone group to run applications that are located in the Program Files folder.

Windows Installer default rule types:
Allow members of the local Administrators group to run all Windows Installer files.
Allow members of the Everyone group to run digitally signed Windows Installer files.
Allow members of the Everyone group to run all Windows Installer files located in the Windows\Installer folder.
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

There's no built-in way to achieve what you want, there are no temporary admin rights. You could only use a script that you can trigger from remote that adds him to the admin Group and removes him again after 30 minutes.

Do they only Need those privileges for installations?

@btan: allowing them to run an installer via applocker does not mean, they need no admin rights if Setup requires admin rights.
btanExec ConsultantCommented:
@mcknife, sure as shared in my posting
...If you want to allow someone to perform the configuration tasks (e.g. install applications, printers, drivers and amend the network configuration) but not make them an Administrator, then it is tough as those need admin rights.
I was coming more from limited access and granting admin if really need by on need-to basis and adhoc duration as shared, applocker is not the silver bullet but to (as much possible) restrict what legit execution
FrankCrastCo-founder and CEOCommented:
You may also consider BeyondTrust's PowerBroker solution. I've used this for Windows desktop in the past and it was one of the leading products in the field. I believe it offers some of the things you are looking for so may be worth looking into, if you haven't already.

They've also made some recent enhancements and product additions, to include file integrity monitoring and auditing/monitoring of activity (even with user privileges) and support for Windows servers.
btanExec ConsultantCommented:
As a whole, any software installation that is configured for the user portion of a GPO will run with the security rights of the user. If the MSI requires access to elements that users do not have permissions to (either because they don't have the local rights or because they can't access components due to GPO restrictions), the installation will encounter problems or fail.

Eventually still need means of admin rights but it is just ad-hoc basis that we are looking at
1. Run the installation as local system
(under the Computer section of a GPO will be run as the local system which has local administrator right)
2. Temporarily elevate user's permission
(use GPO mechanisms such as restricted groups or group policy preferences to grant users required rights and then revoke them once the program is successfully installed)
3. Use a scheduled task
(using the gpp allow the administrator to deploy a scheduled task to client system)
tabushAuthor Commented:
Thanks guys. I also found this tool that may help
That tool does require the user to be already admin - no help.
btanExec ConsultantCommented:
yap it needs admin right - it is just like runas and still does not solve your use case. I doubt there is mean unless backdoor exist in OS which it should not ...
The program has to be run with administrator level privileges. In general, you can just double-click on ETS.exe but you can also right-click on it and select Run as administrator from the context menu.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tabushAuthor Commented:
No real solution to what i was looking for.
For several weeks we had not heard from you - now you select some comment that was not even meant to be an answer. I had offered you the idea of a scripted solution that you cantrigger from remote. No feedback came in, neither to my suggestion, nor to my question. It should work out better if you honour helpers with some feedback.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.