We help IT Professionals succeed at work.

One Time Password for admin rights to install/update programs.

574 Views
1 Endorsement
Last Modified: 2018-02-06
I have an issue where our domain users have no local admin rights and we want to keep it that way. What I'm hoping to find is a way to create a user account in Active Directory that has a password that changes each time someone uses it to make changes to a domain PC. I've seen it used in software to protect end users from making mistakes when configuring settings, just never run across such for AD. Thanks in advance for any suggestions. Also, welcome any questions if what I'm asking doesn't make sense.
Comment
Watch Question

yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
What type of updates are you trying to accomplish.
You maybe and able to script this to run on your domain vs trying to have a continuous audit and change request for the account.  

Not saying that it is not possible, Just trying to look at this from another angle.
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Any updates/changes that need to be made from a Domain User account. I'm definitely going to look into the LAPS deal. We are working on implementing scripts to update the software, but some sites don't "refresh" the VPN connection as much as others so they don't always pull the latest group policy or script.
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Commented:
Hi Josh,

Yes, Active Directory environment will need to be running at least Windows Server 2003 SP1 and will require a schema update to support LAPS to add the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.

Don't worry, AD schema extension will not cause any downtime.

Author

Commented:
Just to make sure we're on the same page, a user on a computer gets hit with the admin login popup to install the upgrade or make changes to the PC. We give them a login and after it's used, it is no longer able to be used unless we give them a new login password.
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Commented:
Yes, that's the behavior of using LAPS.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Josh, please don't forget to return with some feedback.

Author

Commented:
Sorry guys, got caught up in other projects and abandoned this one. Looks like I'll have to find another route for this, the company doesn't want to spend the money for a turn key solution.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.