add normal user or users to local administrator group for certain time through GPO and PowerShell

SysAdmin 151 Reputation points
2023-03-29T10:02:20.36+00:00

Hi

besides adding a normal user to the local administrator manually on his computer.

how to add a normal user or users to the local administrator group on their computer for a certain time, where the user or users are automatically removed from the local administrator group?

is there a way to do it through GPO and PowerShell.

Kind Regards.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,570 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,724 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,355 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,037 questions
0 comments
Accepted answer
  1. MotoX80 31,561 Reputation points
    2023-04-04T01:06:53.7+00:00

    Using the task scheduler would seem to be the simplest solution. You'll need an account that has admin access on the workstation. WMI also needs to be available. Here is a script that you can use as a starting point. There are a few minor issues with this technique. If the user is logged on when his account is added/removed from the admins group, a logoff will be required to implement the change. So if the user is logged on, and has admin access, that logon session will still have admin access even if the account is removed from the admins group. And if your user is tech savvy, once he has admin access, he could delete the task that removes his account from the admins group. So you might want to add some functionality to verify that the "remove" worked. 

    # This task must be run with an account that has admin access on the remote machine, 
$user = 'testuser'                            # the account to use. can be in the domain\userid format
$computer = 'test10'                          # the machine where access is to be granted. 
$from = (get-date).AddSeconds(30)             # when to grant the access
$to = (get-date).AddMinutes(30)               # when to remove the access 

$session = New-CimSession -ComputerName $computer

unregister-scheduledtask -TaskName "Admin-Add-$user" -confirm:$false -CimSession $session -ErrorAction SilentlyContinue
$ac = New-ScheduledTaskAction -Execute "net.exe" -Argument "localgroup Administrators ""$user"" /add"  
$tr = New-ScheduledTaskTrigger -once -at $from
$ts = New-ScheduledTaskSettingsSet -StartWhenAvailable 
$pr = New-ScheduledTaskPrincipal -LogonType ServiceAccount -RunLevel Highest -UserId "NT AUTHORITY\SYSTEM"
Register-ScheduledTask -TaskName "Admin-Add-$user" -Trigger $tr -Action $ac -Settings $ts -Principal $pr  -CimSession $session 

unregister-scheduledtask -TaskName "Admin-Remove-$user" -confirm:$false -CimSession $session -ErrorAction SilentlyContinue
$ac = New-ScheduledTaskAction -Execute "net.exe" -Argument "localgroup Administrators ""$user"" /delete"  
$tr = New-ScheduledTaskTrigger -once -at $to 
$ts = New-ScheduledTaskSettingsSet  -StartWhenAvailable -DontStopIfGoingOnBatteries -WakeToRun -AllowStartIfOnBatteries 
$pr = New-ScheduledTaskPrincipal -LogonType ServiceAccount -RunLevel Highest -UserId "NT AUTHORITY\SYSTEM"
Register-ScheduledTask -TaskName "Admin-Remove-$user" -Trigger $tr -Action $ac -Settings $ts -Principal $pr -CimSession $session 
       


# https://iamsupergeek.com/self-deleting-scheduled-task-via-powershell/
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sedat SALMAN 13,075 Reputation points
    2023-03-30T06:42:49.28+00:00

    if you want to do this with GPO there is a way to do this

      1. Create a Scheduled Task using Group Policy: Navigate to the desired Organizational Unit (OU) where the target computers are located. Right-click the OU and select "Create a GPO in this domain, and Link it here." Navigate to "Computer Configuration" > "Preferences" > "Control Panel Settings" > "Scheduled Tasks." Right-click "Scheduled Tasks" and select "New" > "Scheduled Task (At least Windows 7)." Configure the scheduled task with the desired settings, such as triggers and actions. You'll need to create two tasks: one to add the user to the local administrators group and another to remove the user.
    ##For adding a user (AddUserToLocalAdmin.ps1):
 
$username = "DOMAIN\Username"
$group = [ADSI]"WinNT://./Administrators"
$user = [ADSI]"WinNT://$username"
$group.Add($user.Path)




##For removing a user (RemoveUserFromLocalAdmin.ps1):

$username = "DOMAIN\Username"
$group = [ADSI]"WinNT://./Administrators"
$user = [ADSI]"WinNT://$username"
$group.Remove($user.Path)
    1. In the Scheduled Task created in step 1, configure the tasks to run the PowerShell scripts. For the "Action" in each task, choose "Start a program," and set the following settings:
      • Program/script: powershell.exe
      • Add arguments (optional): -ExecutionPolicy Bypass -File "Path\to\AddUserToLocalAdmin.ps1" for the adding task, and -ExecutionPolicy Bypass -File "Path\to\RemoveUserFromLocalAdmin.ps1" for the removing task.
    2. Configure the scheduled tasks to run at the desired times. The first task will add the user to the local administrators group, and the second task will remove them after a certain period.
    3. Close the GPO editor and wait for the policy to propagate to the target computers, or force a group policy update using gpupdate /force on the target computers.

    Once these steps are completed, the users will be added to the local administrators group on their computers for the specified time and will be automatically removed afterward.

  2. SysAdmin 151 Reputation points
    2023-04-02T09:47:55.1866667+00:00

    Thank you for your help,

    After I create GPO, how do link the exact user account to the exact computer account, because the OU will contain a lot of computer accounts, and the script is for adding accounts to the local admin without specifying the computer name, I am afraid that it will add the user\users to all computers in the OU unless they are already bonded together from the beginning after the user logged in in the first beginning.

    regarding the PowerShell script, can you explain the code.

    for example, what is [ADSI] & 'WinNT', and how they are used.

    Also, the ".path" what does it refer to.

    ##For adding a user (AddUserToLocalAdmin.ps1):
 
$username = "DOMAIN\Username"
$group = [ADSI]"WinNT://./Administrators"
$user = [ADSI]"WinNT://$username"
$group.Add($user.Path)
    0 comments
  3. SysAdmin 151 Reputation points
    2023-04-05T12:27:47.2166667+00:00

    Thank you for your help MotoX80 I have a few inquiries, please explain them:

    1. as I understand that cimsession is used for connecting to the computer, is it the same as Pssession, also does GPO do the job?
       $session = New-CimSession -ComputerName $computer
    1. Why did you begin with "unregister-scheduledtask" and then ended with "Register-ScheduledTask", what is the difference or logic behind it?
       unregister-scheduledtask -TaskName "Admin-Add-$user" -confirm:$false -CimSession $session -ErrorAction SilentlyContinue
   
   Register-ScheduledTask -TaskName "Admin-Add-$user" -Trigger $tr -Action $ac -Settings $ts -Principal $pr  -CimSession $session
    1. what is "NT AUTHORITY\SYSTEM", and why did you select "ServiceAccount", please can you explain more about this line of code.
       $pr = New-ScheduledTaskPrincipal -LogonType ServiceAccount -RunLevel Highest -UserId "NT AUTHORITY\SYSTEM"
    1. What best resources do you recommend for learning Windows server and Windows client architecture, I want to dive deep down to understand the Windows OS parts, how they are working, and how they are connected together, for example, "NT AUTHORITY\SYSTEM" or "WMI" and much more, although there is Microsoft documentation I need resources where I can learn easily from it and practically, I want to improve my knowledge to where I can utilize it in work, for example in scripting or system design or integration, etc.
    2. What best resources do you recommend for learning PowerShell in general and then going on specific subjects in deep, for example with Active Directory, or with managing OS, or with GPO, etc. Kind Regards,