Link to home
Start Free TrialLog in
Avatar of Josh Garrett
Josh GarrettFlag for United States of America

asked on

One Time Password for admin rights to install/update programs.

I have an issue where our domain users have no local admin rights and we want to keep it that way. What I'm hoping to find is a way to create a user account in Active Directory that has a password that changes each time someone uses it to make changes to a domain PC. I've seen it used in software to protect end users from making mistakes when configuring settings, just never run across such for AD. Thanks in advance for any suggestions. Also, welcome any questions if what I'm asking doesn't make sense.
Avatar of yo_bee
yo_bee
Flag of United States of America image
What type of updates are you trying to accomplish.
You maybe and able to script this to run on your domain vs trying to have a continuous audit and change request for the account.  

Not saying that it is not possible, Just trying to look at this from another angle.
SOLUTION
Avatar of Albert Widjaja
Albert Widjaja
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Josh Garrett
Josh Garrett
Flag of United States of America image

ASKER

Any updates/changes that need to be made from a Domain User account. I'm definitely going to look into the LAPS deal. We are working on implementing scripts to update the software, but some sites don't "refresh" the VPN connection as much as others so they don't always pull the latest group policy or script.
Avatar of Albert Widjaja
Albert Widjaja
Flag of Australia image
Hi Josh,

Yes, Active Directory environment will need to be running at least Windows Server 2003 SP1 and will require a schema update to support LAPS to add the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.

Don't worry, AD schema extension will not cause any downtime.
Avatar of Josh Garrett
Josh Garrett
Flag of United States of America image

ASKER

Just to make sure we're on the same page, a user on a computer gets hit with the admin login popup to install the upgrade or make changes to the PC. We give them a login and after it's used, it is no longer able to be used unless we give them a new login password.
Avatar of Albert Widjaja
Albert Widjaja
Flag of Australia image
Yes, that's the behavior of using LAPS.
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of McKnife
McKnife
Flag of Germany image
Josh, please don't forget to return with some feedback.
Avatar of Josh Garrett
Josh Garrett
Flag of United States of America image

ASKER

Sorry guys, got caught up in other projects and abandoned this one. Looks like I'll have to find another route for this, the company doesn't want to spend the money for a turn key solution.