Temporary Administrative Account

[Guest]

I have a problem that's been bugging me for years now and I thought I'd run
it up the flagpole to see what kind of ideas I could generate for solutions.
We have a number of remote users and road warriors that travel with laptops
and, more importantly, a pool of loaner units that go out for presentations,
educational events and infrequent travelers.

What I was wondering is, does anyone out there have a solution for safely
granting remote users local administrative rights to a system as needed
without all the headache of managing admin logons and passwords individually
for every remote machine? I've got several conceptual ideas on how this could
be accomplished but few thoughts on how to properly develop and implement.
The best solutions I see are:

-- Creating an administrative user as needed with a script that can be
emailed
to users or sent with laptops that includes a customized expriation or
self
deletion built in.
-- Every laptop would have an administrator account setup with a standard
password which we would give out as needed. The account would expire
after a specific number of logons or after a specific time.
-- An application or script that could grant the user administrative rights
within their own logon simply by providing them with a key that either
changes
or rotates so that it is only good once.

Our current policy is to setup a common local user account on these laptops
with User level permissions. We've always struggled with problems that arise
when users are out of town and need administrative access to accomplish a
task. We've reluctantly had to give them the local admin logon in many cases,
hoping they would just forget it. Then we have to go and change the admin
passwords on all the loaners to keep them secure.

We've been able to work around many of the problems using remote support
such as WebEx support to gain remote control and run whatever procedure was
required using Run as... but when there is no Internet connectivity, this
becomes impossible.

I would like to hear ideas and comments on this from anyone else who has
similar issues. Even if you don't have solutions, perhaps a discussion of
problems, wants and needs will help to generate enough interest to coax
solutions out of the aether. I look forward to your input.

 

[Guest]

I've been experimenting with an applet which (on supplying a password)
programmatically grants Admin rights to the existing user, logs them off and
back on, and in doing so launches a watchdog-process which sets a time-limit
on how long they may remain so. When the limit (typically 12hrs) expires the
user is warned, the rights are set back to limited, the watchdog uninstalled
and the user logged-off.

Advantage of this approach is that programs can be installed and configured
without the settings being lost, as they are if you setup as Administrator
then change user.

At the moment it's still experimental, wrote it a few months back and it
seemed to have significant benefits over the standard method. Never had time
to thoroughly test it though. (If I spent less time in here..)

 

[Guest]

Very cool. That's almost exactly the kind of thing I'm looking for. if you'd
like to have assistance testing at any point, feel free to contact me
offline. I'd be more than willing to give it a go.

My direct email is r[dot]beckwith[at-sign]ccul.org

 

[Guest]

OK, I've dug the code out and setup a test computer to give it a bit more
thorough shakedown.. It was actually quite near to a useable product anyway,
though some of the dialogs could do with polishing-up.

Should have a useable build available in a day or two, if you want to give
it a try.

 

[Guest]

Sent a pm containing location to download a test build.

Let me know how you get on.

 

[Guest]

Sent a pm containing location to download a test build.

Let me know how you get on.
can i have this as well, im looking for exactly the same,

thaks