Owner of a Computer as Local Admin

(Last updated on June 26, 2019)

I helped a company last week to setup a solution where the users could request to become local admin of their computers.

Generally I’m against users being local admin. That’s XP style … And nowadays a user usually does not need local admin access. It’s possible to get around most of the obstacles.

Local Administrator tend to cause more problems than it helps, and increases the IT Cost as most IT Staff is well aware of. But, lets face it. There are scenarios were some of the users really do need to be local admin.

It’s possible to manage the Local Administrators group in multiple ways. For example add “Authenticated Users” or “Domain Users” to the Local Admin group. Which will make everyone local admin on all PC’s, also when accessing a client remotely. Huge security risk!

Imagine a virus or worm on one client… It can spread uncontrollably through out your network to all clients in seconds.

Then there are the ones who may add “interactive users” to the Local Admin Group. Which will only grant the locally logged-on user Administrative rights on that PC and not over the network. Which is slightly better. Though, the users will still get local admin access to all PC’s they log on to.

The above can be handled by scripts or group policy preferences, or in the image that’s being deployed. Quite basic stuff.

But I’ve also seen some setups where there is a Group Policy Preference that add DomainLocalAdmin-%computername% to the LocalAdmin groups.

So, if there is for example a Domain LocalAdmin-CLIENT99 group, that group will be added to the LocalAdmins on CLIENT99 and anyone in that group will have local admin access.

That’s a great way to do it, and quite secure. Though it does require some administrative work each time there should be a local admin on a PC. Someone has to create the group and add users to it.

Or you can add the user account to the local admin account manually. Which once again is quite secure, but requires a lot of administrative work.

The customer asked if it would be possible to not grant everyone local admin on all PC’s, but with some control of who’s admin on which PC. And still keep it to a minimum of administration.

I gave it half a second thought before I said “Sure! I’ll setup a solution for you”.

I figured that it would be easy to use the “ManagedBy” attribute in combination with Specops Self Service Portal that they have helped us beta test.

So the user can request Local Admin access and it will be approved by either IT or his Manager, depending on the customers decisions.

In this fictional case, I’ve allowed “Everyone” to be able to request the service.
But I could also have restricted it to one or multiple units. For example “Research & Development” department could request it but would required Approval and would cost them 200 something per month.

While anyone from the “IT Department” could request it for free and did not require approval.

The user can only request to become Local Administrator on a PC that he is already tagged as owner of (ManagedBy).

The customer have the Specops Deploy CSE in place taking care of that, automatically keeping the “Managed By” attribute up to date.

So the user can request to become Local Admin on one of multiple of his assigned PC’s. In most environments, the user only has one PC.

After the request has been approved, the computer will then be added to a Domain security group, in this case “Service – Local Admin”.

You now have two options.

Either execute the below script with a Startup Script through a Group Policy using Security Filtering on the above Group. So it’s only being executed if the computer is part of that group. You can’t use a Logon Script since the user is not local admin yet, and the user can’t obviously then add anyone to the local admin group.

But, if you use a Startup Script, it will be executed each time the computer starts, its of course possible to make a check so it does not carry out the change more than once but it will still be executed. Or if someone else becomes owner of that client, that user will automatically be added to the local admin group too.

Good or bad? Not sure… It depends how you look at it.

You have either decided that for this PC, anyone who’s owner should be Local Admin. In that case it’s good. Or if you decided that this user can request to become LocalAdmin of that PC and no one else, then it’s a bad thing that other users can be made local admin too.

The other option, is to execute the script from Specops Deploy / App. It will then be triggered at once and the user does not have to reboot (but need to re-logon to get the new group/admin permissions), and it will only be triggered once per PC.

It’s also possible to reverse the process then. If the client is removed from the group, run an “uninstall script” that removes the user from LocalAdmins which is something I didn’t care to configure at this time. Just clear the LocalAdmin group and add the default entries to it.

I strongly recommend using Specops Deploy (or even Specops Command!) to execute the script. Gives you feedback and great control of which clients have run it and when.

I was about to write my own script that read the ManagedBy username and added it to the Local Admins group, but did a quick google search and found a perfect script for my needs, written by David Granlund. It saved me some time. Thanks, David!

 '==========================================================================
 '
 ' VBScript Source File -- Created with SAPIEN Technologies PrimalScript 2007
 '
 ' NAME: AddLocalAdmins.vbs
 '
 ' AUTHOR: David Granlund, Riverpoint AB
 ' DATE  : 2008-03-17
 '
 ' COMMENT: Add accounts to local admin group
 '
 ' INTENDED USE: As startup-script for computer to make sure assigned
 '    manager get local administrator permissions
 '
 '==========================================================================
 

 Option Explicit
 

 Const LOG_FILE_PATH             = "\specops.testdfsInstallLogs"
 Const FOR_APPENDING                = 8
 Const DEFAULT_ADMIN                = "CN=Administrator,OU=Users,DC=specops,DC=test"
 Const DOMAIN_NETBIOSNAME    = "SPECOPS"


 Dim oSysInfo
 Dim sManager
 Dim sComputerName
 Dim dtBegin
 Dim sLocalAdminGroupName

 sLocalAdminGroupName = getLocalAdministratorsGroupName()

 dtBegin = Now()

 sComputerName = CreateObject( "WScript.Shell" ).ExpandEnvironmentStrings( "%COMPUTERNAME%" )

 Set oSysInfo = CreateObject( "ADSystemInfo" )

 sManager = GetADProperty( oSysInfo.ComputerName, "managedBy" )

 If IsEmpty( sManager ) Then sManager = DEFAULT_ADMIN

 SetLocalAdmin( sManager )

 

 WScript.Echo "It took " & DateDiff( "s", dtBegin, Now() ) & " seconds to do this..."

 

 Sub SetLocalAdmin( ByVal sUser )

 Dim objGroup, objUser, oDomainAdmins

 

 On Error Resume Next 

 

 Set objGroup = GetObject( "WinNT://" & sComputerName & "/" & sLocalAdminGroupName & ",group" )

 If objGroup.PropertyCount > 0 Then

     For Each objUser in objGroup.Members

         If Left (objUser.SID, 6) = "S-1-5-" and Right(objUser.SID, 4) = "-500" Then 'Skip local admin

         Else

             objGroup.Remove ( objUser.ADsPath )

             Wscript.Echo "Removing " & objUser.Name & " from local administrators."

         End If

     Next

     AddLocalAdmin( "WinNT://" & DOMAIN_NETBIOSNAME & "/" & GetADProperty( sUser, "sAMAccountName" ) )

     AddLocalAdmin( "WinNT://" & DOMAIN_NETBIOSNAME & "/Domain Admins" )

     AddLocalAdmin( "WinNT://" & sComputerName & "/administrator" )

 Else

     WriteError( "Failed to attach to local administrators group." )

 End If

 On Error GoTo 0

 End Sub

 

 

 Function GetADProperty(ByVal ADobject, ByVal attribute)

 ' Return value for attribute on ADobject (if there is one)

 

 ' Since i usually forget to init strings with "LDAP://" this is added here

 If Not UCase(Left(ADobject,7)) = "LDAP://" Then ADobject = "LDAP://" & ADobject

 

 'If the property is empty this would throw an error, we don't want that.

 On Error Resume Next

 GetADProperty = GetObject(ADobject).Get(attribute)

 On Error GoTo 0

 End Function

 

 

 Function AddLocalAdmin(ByVal sUser)

 Dim objGroup, objUser

 

 On Error Resume Next

 Err.Clear

 Set objGroup = GetObject("WinNT://" & sComputerName & "/" & sLocalAdminGroupName & ",group")

 Set objUser = GetObject(sUser)

 

 objGroup.Add(objUser.ADsPath)

 'objGroup.Add(sUser)

 If Err.Number <> 0 Then

     WScript.Echo "Failed to add " & sUser & " to Local Admingroup. Errorcode: " & Err.Number & " description " & Err.Description

     WriteError("Failed to add " & sUser & " to Local Admingroup.")

     Err.Clear

     AddLocalAdmin = False

 Else

     WScript.Echo "User " & sUser & " added to Local Admingroup."

     AddLocalAdmin = True

 End If

 On Error GoTo 0

 End Function

 

 

 Function getLocalAdministratorsGroupName()

 'Return local administrators group name

 

 Const LOCAL_ADMINISTRATORS_GROUP = "S-1-5-32-544"

 

 Dim oWMI, colGroups, oGroup

 

 On Error Resume Next

 

 Set oWMI = GetObject("winmgmts:\.rootcimv2")

 Set colGroups = oWMI.ExecQuery("SELECT Name FROM Win32_Group WHERE Sid = '" & LOCAL_ADMINISTRATORS_GROUP & "'",,48)

 If colGroups.count > 0 Then

     For Each oGroup in colGroups

         getLocalAdministratorsGroupName = oGroup.Name

         Exit Function

     Next

 Else

     getLocalAdministratorsGroupName = False

 End If

 End Function

 

 

 Sub WriteError(ByVal strMessage)

 'Write strMessage to logfile

 Dim oFS, oFile, strFileName

 

 Set oFS = CreateObject("Scripting.FileSystemObject")

 

 On Error Resume Next

 

 strFileName = LOG_FILE_PATH & sComputerName & "LocalAdmin.log"

 Set oFile = oFS.OpenTextFile(strFileName, FOR_APPENDING, True)

 oFile.WriteLine Date() & vbTab & Time() & vbTab & "ERROR: " & strMessage

 Set oFile = Nothing

 Set oFS = Nothing

 On Error GoTo 0

 End Sub


#End of script

Anyone who can think of any other services that would be useful or just cool to let the users order from a Portal?

Tags: , ,

Back to Blog