MakeMeAdmin script |
It's a clever script and probably useful for admins and developers who are cautious with their own logins but I'm not sure it would be advisable to have regular users in an organization use it (not that the author is advocating such use). First, the fact that you have to enter two passwords when you run the script is a turn-off and a step back from an ordinary runas script. Second, there is a risk of the user's privilege elevation not being removed. If the script is exited before step 4, *every* subsequent login by that user on the computer will be as a local Admin. I'm not thinking about this being done intentionally (you're already trusting the user with a local admin password) but accidentally by closing the command prompt window before logging in with their own password.
The risk could be mitigated by a system scheduled task that would check the Admin group membership, say, once an hour and removing anyone who shouldn't be there permanently. Ooh, this could be incorporated into the script! After step 2 but before step 3, the script could create a one-time scheduled task to remove the user from the Admin group 5 minutes in the future. The user would then have to login to the second runas with their own account within 5 minutes for them to have admin privileges. This would remove the window of time in which someone could accidentally be added to the Admin group for an extended period.
Looking at the script, I think the thing to do would be to add a line like the following someplace before the 2nd runas:
soon.exe 300 net localgroup %_Group_% "%*" /DELETE
%_Group_% is a variable containing the name of the Administrators gropu and %* is the current user's name. Soon.exe is a Resource Kit program for scheduling tasks X number of seconds in the future. The problem with using soon.exe is has to be in the path of the local admin user and since the local admin can't access domain resources, that means it has to be on the local drive. A nuisance but as long as you're installing this script on a computer, I guess you can install soon along with it. I'm sure there are other ways to schedule a task to run X minutes in the future that don't involve separate executables but I'll leave those as an exercise for the reader.