Lockup Domain User in Specific Computer and Escalate Permissions

Sometimes, you will need to give some domain users (may be the desktop support) Network Configuration Operators role or even Local Administrator permissions on specific client machines so that they can fix something with the elevated permissions.  You can do this by simply adding these users into the necessary local security groups on these machines.
Nope! it’s a boring day-to-day task and what if you forget to remove these permissions later ?

Here, I wrote the script that will give the necessary permissions by adding them into the specific privileged domain security group and lock them up in the specific computers (so he can’t go nowhere now, except from the assigned one).
(**Note: Even user cannot RDP or interactive logon to the other machines, he still can access the other machines by WSMan or MMC Snap-Ins. For that case, you can restrict it by Windows Firewall Policy Predefined Rules or GPO the topics which are not covered in this post

Things in brief:

  • Add that specific domain security group into the client machines’ local security group and GPO can do this. But, you will need to do gpupdate or reboot the machine.
  • Then run the script in domain controller or machine with RSAT installed, specify the username, computer name, the allowed duration and the countdown will start thereafter. If the time limit is reached, the user will be automatically removed from the security group and unlock from specific computer. So no need to close the window.
  • If the user is currently logged on the client machines, he needs to logoff and login again to take effect

Here is the demo:
I have one domain controller and one client machine. My purpose is to give user1 the local administrator rights  on client machine (Win-10-Test) for 1hr.
On Domain Controller, I created the security group named Desktop Support Administrators.
Create the group policy to define the Restricted Groups of the local machine and attach the policy to the OU1. We will also add Domain Admins in the Restricted Groups. See Fig-1.

Fig-1: Attach the GPO to put the domain security group into the local privileged security group

 Type gpupdate /force on the client machine to immediately apply the GPO.
OK, now we’re going to run the script on domain controller. Right-click the script and choose Run with Powershell which will prompt for necessary information. Don’t close the windows since it will automatically close when the countdown reaches zero. You can check the user1’s properties in the Active Directory Users and Computers console. See Fig-2.

Fig-2: Running the script and check the actions
If you want to stop the script midway, you can press Ctrl+C which will automatically revoke user1’s permissions immediately. See Fig-3.
Fig-3: Stopping the script in the midway

You can download my script here.

Leave a Reply

Your email address will not be published. Required fields are marked *