Temporary Local Admin Rights
A common question I get asked is How do I grant users temporary Local Admin Rights to their devices in an environment where they do not have it.
This is something that users may need from time to time, and adminstrators / help desk do not want to manually manage, so is it possible to have an self service request for this?
The basic idea
An end user to go into the company store, search and select the “Request Temporary Local Admin Rights” app which will then notify the user they are about to receive local admin right for xx hours, and provide some sort of disclaimer that it should be used cautiously.
Behind the scenes, the script checks validation of request (based on device/credentials and maybe others parameters), log request (and maybe actions), adds user to a local admin group, and then places a script on a timed queue to remove the user from it when xx hours (or a reboot).
Solution?
To my knowledge there is no off-the-shelf script or program, but I have seen this as a custom script in several organizations. Of course is custom as it needs to be catered based on security.
First and foremost this must be a very secure application, with lots of built-in safeguards so it does not compromise your environment.
I looked through GitHub and other places and found a few scripts and or programs that you can as a starting point:
DISCLAIMER: These are SAMPLE SCRIPTS and should not be used as-is. I have no association or deep-dive tested any of them. So use them as sample guidelines….
- https://gist.github.com/janikvonrotz/7487228
- https://github.com/omgdanieltam/temporary_local_admin
- https://github.com/obs0lete/Grant-Admin
A good sample discussion on this topic at: