Elevation of rights has been a battle for as long as I can remember while being here these 14 years, so I surely agree against having them. But… there are exceptions, and situations where a user gets all the authorized approvals from management and such.
What I am after is a method to allow the approved user to self-elevate their rights at the given system without having to have field support interact on the system to do the work. But, then after the temporary elevation of rights time expires, then the rights would be stripped automatically. If that given user needs the rights again, they run the tool in Software Center and give themselves the elevated rights to do whatever it is that they need to do and then removed again. By doing something like this, the user is not left with elevated rights but only is elevated to that level as is needed but can self-support to elevate if needed. I think that even the most avid of Tech would be able to operate under such a mode because they know that they can self-elevate when needed but then are dropped down to standard user after the allotted time. Rick J. Jones Wireless from AT&T Domestic Desktop Application Management D: (425) 288-6240 C: (206) 419-1104 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Ryan Sent: Thursday, April 17, 2014 2:33 PM To: mssms@lists.myitforum.com Subject: Re: [mssms] Temporary Elevation to Local Admin I would strongly advise against it, but if you are set on it I can recommend PowerBroker: http://www.beyondtrust.com/Products/PowerBrokerforWindows/ It elevates programs and leaves the user with their standard rights. It can be horribly abused, but anything that gives a user admin rights can. On Thu, Apr 17, 2014 at 4:13 PM, JONES, RICK J <rj7...@att.com<mailto:rj7...@att.com>> wrote: Has anyone run across a tool or a script of any sort that could be deployed by SCCM to allow a user to self-elevate their rights to Local Administrator and then say, an hour later remove those admin rights? I have all kinds of ideas for it, but hoping that someone has already done this. Rick J. Jones Wireless from AT&T Domestic Desktop Application Management D: (425) 288-6240<tel:%28425%29%20288-6240> C: (206) 419-1104<tel:%28206%29%20419-1104>
