If you are willing to pay for a product, PowerBroker. If not, here is how I'd tackle the problem:
1) Write a script that grants the current user admin rights, creates a scheduled task to remove those admin rights, and then writes something somewhere to signal the script was run. 2) Make a detection script that will show the app as detected if the current user has admin rights, or if the script recently ran (which you can find out from the last step in step 1) 3) Make a CI or a Package that runs every now and then on all computers that might have elevated users. This will run a script to verify no one has admin rights, and if they do have admin rights it checks for the scheduled task. If no scheduled task, they lose admin rights. On Thu, Apr 17, 2014 at 4:42 PM, JONES, RICK J <[email protected]> wrote: > Elevation of rights has been a battle for as long as I can remember > while being here these 14 years, so I surely agree against having them. > > But… there are exceptions, and situations where a user gets all the > authorized approvals from management and such. > > > > What I am after is a method to allow the approved user to self-elevate > their rights at the given system without having to have field support > interact on the system to do the work. > > But, then after the temporary elevation of rights time expires, then the > rights would be stripped automatically. > > > > If that given user needs the rights again, they run the tool in Software > Center and give themselves the elevated rights to do whatever it is that > they need to do and then removed again. > > > > By doing something like this, the user is not left with elevated rights > but only is elevated to that level as is needed but can self-support to > elevate if needed. > > > > I think that even the most avid of Tech would be able to operate under > such a mode because they know that they can self-elevate when needed but > then are dropped down to standard user after the allotted time. > > > > Rick J. Jones > Wireless from AT&T > Domestic Desktop Application Management > D: (425) 288-6240 > C: (206) 419-1104 > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Ryan > *Sent:* Thursday, April 17, 2014 2:33 PM > *To:* [email protected] > *Subject:* Re: [mssms] Temporary Elevation to Local Admin > > > > I would strongly advise against it, but if you are set on it I can > recommend PowerBroker: > > > > http://www.beyondtrust.com/Products/PowerBrokerforWindows/ > > > > It elevates programs and leaves the user with their standard rights. It > can be horribly abused, but anything that gives a user admin rights can. > > > > On Thu, Apr 17, 2014 at 4:13 PM, JONES, RICK J <[email protected]> wrote: > > Has anyone run across a tool or a script of any sort that could be > deployed by SCCM to allow a user to self-elevate their rights to Local > Administrator and then say, an hour later remove those admin rights? > > > > I have all kinds of ideas for it, but hoping that someone has already done > this. > > > > Rick J. Jones > Wireless from AT&T > Domestic Desktop Application Management > D: (425) 288-6240 > C: (206) 419-1104 > > > > > > > > > >
