Solved

Grant temporary local admin rights (ET)

Posted on 2014-09-19
12
1,598 Views
Last Modified: 2014-11-03
I'm looking for a way to grant users in our domain temporary local admin rights so they can install software or make a change that's only allowed by a local admin.
I know through AD/group policy i can give them local admin rights but that would require having them log out and back in. Then i would have to manually remove their rights.
Ideally what i would like is a tool on my AD server that i can say 'user xyz has admin rights for the next 30 minutes' and it would apply without requiring them to log out (or if they had to log out and back in i can deal with that). Just dont want to add them to security group then remember to remove them later on, etc.
Needs to be something we can do quickly so if a user calls in and says 'i need to install a software asap' we can give them access right away.
Any suggestions on this?
0
Comment
Question by:tabush
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40332885
From forum, the decision was made in Windows Vista to remove Power User Group elevated permissions in order to promote more secure deployments of the operating system. If you want to allow someone to perform the configuration tasks (e.g. install applications, printers, drivers and amend the network configuration) but not make them an Administrator, then it is tough as those need admin rights. You can explore having the user a member of the Network Configuration Operators group but they cannot fulfil those as shared - targeted tuning may be best if you need granularity and security. http://technet.microsoft.com/en-us/library/cc754921(v=ws.10).aspx

Good to note the reason why we need to create standard user account is to protect computer by preventing users from making changes that effect everyone who uses the computer. Some use case to consider include but still if you intent engineers (and in your case - all users) access to install Applications they require on an Ad Hoc Basis, without having to go via the IT Desk, that can be tough and need to balance out... Pardon for going round but the emphasis is to balance use and security:

- Installing a Package with Elevated Privileges for a Non-Admin http://msdn.microsoft.com/en-us/library/aa369519(v=vs.85).aspx
- Allow non-admin to install software/printer http://social.technet.microsoft.com/Forums/windowsserver/en-US/eb4eda89-d4df-48d0-802c-b3974f0dcb06/allow-nonadmin-to-install-softwareprinter?forum=winserverDS

Least privilege principle is the basis and Applocker is worth exploring ....

Applocker which is for appl whitelisting and it  manage policies for Packaged apps and Packaged app installers. AppLocker rules can be applied to specific users or groups. However, a rule can only apply to one user or one group. You can also create AppLocker rules to apply to all users (the Everyone group) and then apply that GPO to a specific computer group. Hence using principle of least privilege scheme, create role based group and assign the rule to the user within that group.

For example, you could have one rule that allows the Finance group to run winword.exe, and you could also have a second rule that allows the HR group to run winword.exe.
0
 
LVL 2

Author Comment

by:tabush
ID: 40332966
I dont know that much about AppLocker however i've looked at it in the past. I see you can create an allow rule for a specific path. Can you tell me if this will work:

If i create an allow rule (Executable rule and Windows installer rule) and add the path C:\temp\*
Does that mean i can install any application if the installer is sitting in the C:\temp\ folder?

Not sure if thats how this works...
0
 
LVL 61

Expert Comment

by:btan
ID: 40333004
yes.

FAQ can come handy - Path rule conditions are based on the file or folder installation path of specific applications. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications.
http://technet.microsoft.com/en-us/library/ee619725(v=ws.10).aspx#BKMK_WhatRruleConditions

Also see Applocker rule
http://technet.microsoft.com/en-us/library/dd759068.aspx

Because a path condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can then copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.

Also AppLocker allows you to generate default rules for each of the rule types.
Executable default rule types:
Allow members of the local Administrators group to run all applications.
Allow members of the Everyone group to run applications that are located in the Windows folder.
Allow members of the Everyone group to run applications that are located in the Program Files folder.

Windows Installer default rule types:
Allow members of the local Administrators group to run all Windows Installer files.
Allow members of the Everyone group to run digitally signed Windows Installer files.
Allow members of the Everyone group to run all Windows Installer files located in the Windows\Installer folder.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40334682
There's no built-in way to achieve what you want, there are no temporary admin rights. You could only use a script that you can trigger from remote that adds him to the admin Group and removes him again after 30 minutes.

Do they only Need those privileges for installations?

@btan: allowing them to run an installer via applocker does not mean, they need no admin rights if Setup requires admin rights.
0
 
LVL 61

Expert Comment

by:btan
ID: 40334813
@mcknife, sure as shared in my posting
...If you want to allow someone to perform the configuration tasks (e.g. install applications, printers, drivers and amend the network configuration) but not make them an Administrator, then it is tough as those need admin rights.
I was coming more from limited access and granting admin if really need by on need-to basis and adhoc duration as shared, applocker is not the silver bullet but to (as much possible) restrict what legit execution
0
 
LVL 4

Expert Comment

by:FrankCrast
ID: 40335649
You may also consider BeyondTrust's PowerBroker solution. I've used this for Windows desktop in the past and it was one of the leading products in the field. I believe it offers some of the things you are looking for so may be worth looking into, if you haven't already.

They've also made some recent enhancements and product additions, to include file integrity monitoring and auditing/monitoring of activity (even with user privileges) and support for Windows servers.

http://www.beyondtrust.com/Products/PowerBrokerforWindows/
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 61

Expert Comment

by:btan
ID: 40335814
As a whole, any software installation that is configured for the user portion of a GPO will run with the security rights of the user. If the MSI requires access to elements that users do not have permissions to (either because they don't have the local rights or because they can't access components due to GPO restrictions), the installation will encounter problems or fail.

Eventually still need means of admin rights but it is just ad-hoc basis that we are looking at
1. Run the installation as local system
(under the Computer section of a GPO will be run as the local system which has local administrator right)
2. Temporarily elevate user's permission
(use GPO mechanisms such as restricted groups or group policy preferences to grant users required rights and then revoke them once the program is successfully installed)
3. Use a scheduled task
(using the gpp allow the administrator to deploy a scheduled task to client system)
0
 
LVL 2

Author Comment

by:tabush
ID: 40339103
Thanks guys. I also found this tool that may help https://www.foolishit.com/vb6-projects/ets-elevate-to-system/
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40339197
That tool does require the user to be already admin - no help.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40339426
yap it needs admin right - it is just like runas and still does not solve your use case. I doubt there is mean unless backdoor exist in OS which it should not ...
http://www.trishtech.com/2013/09/run-applications-with-system-level-privileges-using-ets/
The program has to be run with administrator level privileges. In general, you can just double-click on ETS.exe but you can also right-click on it and select Run as administrator from the context menu.
0
 
LVL 2

Author Closing Comment

by:tabush
ID: 40420068
No real solution to what i was looking for.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40420090
For several weeks we had not heard from you - now you select some comment that was not even meant to be an answer. I had offered you the idea of a scripted solution that you cantrigger from remote. No feedback came in, neither to my suggestion, nor to my question. It should work out better if you honour helpers with some feedback.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now