Just in time access - local admin rights

Andreas 1,331 Reputation points
2022-01-25T12:04:41.073+00:00

Hi,

We have a "closed" environment so no direct connection to the internet. No office environment, its industrial systems.
Our users are connecting trough VPN.

Many of our users "needs" to have local admin on several servers and workstations, ..... its a must due to some application.

We would like to implement "just-in-time-access" so that userA can submit a request somewhere and will get local admin access on serverA for 2 hours or something like that.

I see that Microsoft Identity Manager would be used for this, but I have seen that on-premise is not something that MS would support any much longer, and will not either develop.

Does anyone have this kind of solution implemented either with MS or any 3 party software that could give some recommendations.

Thanks for any answer.

/R
Andy

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | Devices and deployment | Configure application groups
Microsoft Security | Microsoft Identity Manager
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Reza-Ameri 17,341 Reputation points Volunteer Moderator
    2022-01-25T16:04:58.213+00:00

    Your scenario is not support with out of the box solutions but you may do it with some scripting.
    For example you may use Disable-LocalUser and Enable-LocalUser in command in PowerShell to disable or enable user and when a user is disable, they are not able to login. Then you could create a Task Scheduler and set time to run the command to disable or enable the account based on time and date.
    Make sure you have a Local Administrator user to manage them and you may perform remote management in case your PC is part of domain.

    0 comments No comments

  2. Limitless Technology 39,926 Reputation points
    2022-01-25T17:25:18.19+00:00

    Hello Andreas,

    You are right, and if we were talking about some Hybrid AD environment it could be done in different way

    My personal recommendation is to use the LAPS tool, to change the local admin password for a specific machine upon request when a user needs it and scrambling the password after X hours

    LAPS Usage: https://learn.microsoft.com/en-us/defender-for-identity/cas-isp-laps

    LAPS download https://www.microsoft.com/en-us/download/details.aspx?id=46899

    ---------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.