Owner of a Computer as Local Admin
(Last updated on June 26, 2019)
I helped a company last week to setup a solution where the users could request to become local admin of their computers.
Generally I’m against users being local admin. That’s XP style … And nowadays a user usually does not need local admin access. It’s possible to get around most of the obstacles.
Local Administrator tend to cause more problems than it helps, and increases the IT Cost as most IT Staff is well aware of. But, lets face it. There are scenarios were some of the users really do need to be local admin.
It’s possible to manage the Local Administrators group in multiple ways. For example add “Authenticated Users” or “Domain Users” to the Local Admin group. Which will make everyone local admin on all PC’s, also when accessing a client remotely. Huge security risk!
Imagine a virus or worm on one client… It can spread uncontrollably through out your network to all clients in seconds.
Then there are the ones who may add “interactive users” to the Local Admin Group. Which will only grant the locally logged-on user Administrative rights on that PC and not over the network. Which is slightly better. Though, the users will still get local admin access to all PC’s they log on to.
The above can be handled by scripts or group policy preferences, or in the image that’s being deployed. Quite basic stuff.
But I’ve also seen some setups where there is a Group Policy Preference that add DomainLocalAdmin-%computername% to the LocalAdmin groups.
So, if there is for example a Domain LocalAdmin-CLIENT99 group, that group will be added to the LocalAdmins on CLIENT99 and anyone in that group will have local admin access.
That’s a great way to do it, and quite secure. Though it does require some administrative work each time there should be a local admin on a PC. Someone has to create the group and add users to it.
Or you can add the user account to the local admin account manually. Which once again is quite secure, but requires a lot of administrative work.
The customer asked if it would be possible to not grant everyone local admin on all PC’s, but with some control of who’s admin on which PC. And still keep it to a minimum of administration.
I gave it half a second thought before I said “Sure! I’ll setup a solution for you”.
I figured that it would be easy to use the “ManagedBy” attribute in combination with Specops Self Service Portal that they have helped us beta test.
So the user can request Local Admin access and it will be approved by either IT or his Manager, depending on the customers decisions.
In this fictional case, I’ve allowed “Everyone” to be able to request the service.
But I could also have restricted it to one or multiple units. For example “Research & Development” department could request it but would required Approval and would cost them 200 something per month.
While anyone from the “IT Department” could request it for free and did not require approval.
The user can only request to become Local Administrator on a PC that he is already tagged as owner of (ManagedBy).
The customer have the Specops Deploy CSE in place taking care of that, automatically keeping the “Managed By” attribute up to date.
So the user can request to become Local Admin on one of multiple of his assigned PC’s. In most environments, the user only has one PC.
After the request has been approved, the computer will then be added to a Domain security group, in this case “Service – Local Admin”.
You now have two options.
Either execute the below script with a Startup Script through a Group Policy using Security Filtering on the above Group. So it’s only being executed if the computer is part of that group. You can’t use a Logon Script since the user is not local admin yet, and the user can’t obviously then add anyone to the local admin group.
But, if you use a Startup Script, it will be executed each time the computer starts, its of course possible to make a check so it does not carry out the change more than once but it will still be executed. Or if someone else becomes owner of that client, that user will automatically be added to the local admin group too.
Good or bad? Not sure… It depends how you look at it.
You have either decided that for this PC, anyone who’s owner should be Local Admin. In that case it’s good. Or if you decided that this user can request to become LocalAdmin of that PC and no one else, then it’s a bad thing that other users can be made local admin too.
The other option, is to execute the script from Specops Deploy / App. It will then be triggered at once and the user does not have to reboot (but need to re-logon to get the new group/admin permissions), and it will only be triggered once per PC.
It’s also possible to reverse the process then. If the client is removed from the group, run an “uninstall script” that removes the user from LocalAdmins which is something I didn’t care to configure at this time. Just clear the LocalAdmin group and add the default entries to it.
I strongly recommend using Specops Deploy (or even Specops Command!) to execute the script. Gives you feedback and great control of which clients have run it and when.
I was about to write my own script that read the ManagedBy username and added it to the Local Admins group, but did a quick google search and found a perfect script for my needs, written by David Granlund. It saved me some time. Thanks, David!
'========================================================================== ' ' VBScript Source File -- Created with SAPIEN Technologies PrimalScript 2007 ' ' NAME: AddLocalAdmins.vbs ' ' AUTHOR: David Granlund, Riverpoint AB ' DATE : 2008-03-17 ' ' COMMENT: Add accounts to local admin group ' ' INTENDED USE: As startup-script for computer to make sure assigned ' manager get local administrator permissions ' '========================================================================== Option Explicit Const LOG_FILE_PATH = "\specops.testdfsInstallLogs" Const FOR_APPENDING = 8 Const DEFAULT_ADMIN = "CN=Administrator,OU=Users,DC=specops,DC=test" Const DOMAIN_NETBIOSNAME = "SPECOPS" Dim oSysInfo Dim sManager Dim sComputerName Dim dtBegin Dim sLocalAdminGroupName sLocalAdminGroupName = getLocalAdministratorsGroupName() dtBegin = Now() sComputerName = CreateObject( "WScript.Shell" ).ExpandEnvironmentStrings( "%COMPUTERNAME%" ) Set oSysInfo = CreateObject( "ADSystemInfo" ) sManager = GetADProperty( oSysInfo.ComputerName, "managedBy" ) If IsEmpty( sManager ) Then sManager = DEFAULT_ADMIN SetLocalAdmin( sManager ) WScript.Echo "It took " & DateDiff( "s", dtBegin, Now() ) & " seconds to do this..." Sub SetLocalAdmin( ByVal sUser ) Dim objGroup, objUser, oDomainAdmins On Error Resume Next Set objGroup = GetObject( "WinNT://" & sComputerName & "/" & sLocalAdminGroupName & ",group" ) If objGroup.PropertyCount > 0 Then For Each objUser in objGroup.Members If Left (objUser.SID, 6) = "S-1-5-" and Right(objUser.SID, 4) = "-500" Then 'Skip local admin Else objGroup.Remove ( objUser.ADsPath ) Wscript.Echo "Removing " & objUser.Name & " from local administrators." End If Next AddLocalAdmin( "WinNT://" & DOMAIN_NETBIOSNAME & "/" & GetADProperty( sUser, "sAMAccountName" ) ) AddLocalAdmin( "WinNT://" & DOMAIN_NETBIOSNAME & "/Domain Admins" ) AddLocalAdmin( "WinNT://" & sComputerName & "/administrator" ) Else WriteError( "Failed to attach to local administrators group." ) End If On Error GoTo 0 End Sub Function GetADProperty(ByVal ADobject, ByVal attribute) ' Return value for attribute on ADobject (if there is one) ' Since i usually forget to init strings with "LDAP://" this is added here If Not UCase(Left(ADobject,7)) = "LDAP://" Then ADobject = "LDAP://" & ADobject 'If the property is empty this would throw an error, we don't want that. On Error Resume Next GetADProperty = GetObject(ADobject).Get(attribute) On Error GoTo 0 End Function Function AddLocalAdmin(ByVal sUser) Dim objGroup, objUser On Error Resume Next Err.Clear Set objGroup = GetObject("WinNT://" & sComputerName & "/" & sLocalAdminGroupName & ",group") Set objUser = GetObject(sUser) objGroup.Add(objUser.ADsPath) 'objGroup.Add(sUser) If Err.Number <> 0 Then WScript.Echo "Failed to add " & sUser & " to Local Admingroup. Errorcode: " & Err.Number & " description " & Err.Description WriteError("Failed to add " & sUser & " to Local Admingroup.") Err.Clear AddLocalAdmin = False Else WScript.Echo "User " & sUser & " added to Local Admingroup." AddLocalAdmin = True End If On Error GoTo 0 End Function Function getLocalAdministratorsGroupName() 'Return local administrators group name Const LOCAL_ADMINISTRATORS_GROUP = "S-1-5-32-544" Dim oWMI, colGroups, oGroup On Error Resume Next Set oWMI = GetObject("winmgmts:\.rootcimv2") Set colGroups = oWMI.ExecQuery("SELECT Name FROM Win32_Group WHERE Sid = '" & LOCAL_ADMINISTRATORS_GROUP & "'",,48) If colGroups.count > 0 Then For Each oGroup in colGroups getLocalAdministratorsGroupName = oGroup.Name Exit Function Next Else getLocalAdministratorsGroupName = False End If End Function Sub WriteError(ByVal strMessage) 'Write strMessage to logfile Dim oFS, oFile, strFileName Set oFS = CreateObject("Scripting.FileSystemObject") On Error Resume Next strFileName = LOG_FILE_PATH & sComputerName & "LocalAdmin.log" Set oFile = oFS.OpenTextFile(strFileName, FOR_APPENDING, True) oFile.WriteLine Date() & vbTab & Time() & vbTab & "ERROR: " & strMessage Set oFile = Nothing Set oFS = Nothing On Error GoTo 0 End Sub #End of script
Anyone who can think of any other services that would be useful or just cool to let the users order from a Portal?