Sometimes, you might need to grant certain domain users, such as desktop support staff, the Network Configuration Operators role or even Local Administrator privileges on specific client machines to perform tasks that require elevated permissions. While this can be done by manually adding users to the appropriate local security groups, it’s a tedious, repetitive task—and there’s a risk of forgetting to remove these elevated permissions afterward.
So, here is the script that will give the necessary permissions by adding them into the specific privileged domain security group and lock them up in the specific computers (so they can’t login to any other computers except from the assigned one).
(**Note: Even user cannot RDP or interactive logon to the other machines, he still can access the other machines by WSMan or MMC Snap-Ins. For that case, you can restrict it by Windows Firewall Policy Predefined Rules or GPO the topics which are not covered in this post
Things in brief:
- Add that specific domain security group into the client machines’ local security group and GPO can do this. But, you will need to do gpupdate or reboot the machine.
- Then run the script in domain controller or machine with RSAT installed, specify the username, computer name, the allowed duration and the countdown will start thereafter. If the time limit is reached, the user will be automatically removed from the security group and unlock from specific computer. So no need to close the window.
- If the user is currently logged on the client machines, he needs to logoff and login again to take effect
Here is the demo:
I have one domain controller and one client machine. My purpose is to give user1 the local administrator rights on client machine (Win-10-Test) for 1hr.
On Domain Controller, I created the security group named Desktop Support Administrators.
Create the group policy to define the Restricted Groups of the local machine and attach the policy to the OU1. We will also add Domain Admins in the Restricted Groups. See Fig-1.
Fig-1: Attach the GPO to put the domain security group into the local privileged security group
Type gpupdate /force on the client machine to immediately apply the GPO.
OK, now we’re going to run the script on domain controller. Right-click the script and choose Run with Powershell which will prompt for necessary information. Don’t close the windows since it will automatically close when the countdown reaches zero. You can check the user1’s properties in the Active Directory Users and Computers console. See Fig-2.
You can download my script here.