SOLVED Users request local admin rights

[Skylar Ragan]

I work at a medium sized software company with a relatively small IT team. Our security policy currently allows end users to request local admin rights on their laptop with their managers approval. If they don't have approval from their manager, we review what they wanted to accomplish and so long as it won't break anything, we have to go to the machine, and use our credentials to perform a one-off task. What I'd like to be able to do, is have a script/application/package available in Software Center that requires approval, that an end user can request, and if we approve the access, they'll be added to the local admin group. Even better if it can be done on a temporary basis! I figure if this can be done in the way I imagine, it would free up my teams time to focus on other tasks.

We have something like this setup for our mac users (we're in a hybrid environment) using Casper, but I'd like to achieve this on the Windows side as well. Any ideas?

 

[Prajwal Desai]

Is it just for installing applications on end users computer ?. Using SCCM, you could deploy an app to a user collection and this will need approval. Once approved by admin, the software is available to install using software center which doesn't require end user's permission. Check this - http://prajwaldesai.com/deploying-applications-to-users-using-sccm-2012-r2/

"What I'd like to be able to do, is have a script/application/package available in Software Center that requires approval, that an end user can request, and if we approve the access, they'll be added to the local admin group" - I am not sure if this can be done using a package and I feel we have to deal this without SCCM.

 

[Skylar Ragan]

While I see the point you make, there are some scenarios where it's easier for the enduser to just have the local admin rights. The most common scenario is all the users who have their own one-off software. We have so many users (usually the developers) who use their own specialized tools to help them do their job, and many times there's only the one person at the company using that particular tool. In cases like that, it doesn't make much sense to add the application to SCCM for deployment.

 

[Prajwal Desai]

The most common scenario is all the users who have their own one-off software - In such cases it would be better to provide admin rights to users. If you are deploying it via SCCM, you have control over deployments (installation and un-installation). More over you can track the number of deployments.

 

[Jonathan Mariduena]

While I totally agree with Mr. Prajwal, I ran into a similar issue a while back. This was my solution, I create a separate OU and a GPO linked to it. Every time I wanted to give full access to a domain user locally I dropped the machine in the container and when the change was completed, I ran a power shell script every night via SCCM to reverse the changes made, meaning that it removed the computer from the "Full access OU " and placed the device in original location. The GPO was configured to grant Domain users full access.

Best Regards,
Jonathan