pseymour
Feature Request - Make Me Admin commands
Is there a way to add/remove admin permissions via CMD / Powershell commands. This would a great addion for power users
You could just use something like this to get Administrator rights with PowerShell:
$source = @"
using System;
using System.ServiceModel;
namespace SinclairCC.MakeMeAdmin
{
[ServiceContract(Namespace = "http://apps.sinclair.edu/makemeadmin/2017/10/")]
public interface IAdminGroup
{
[OperationContract]
void AddUserToAdministratorsGroup();
}
}
"@
# Import the required .NET assemblies
Add-Type -TypeDefinition $source -ReferencedAssemblies System.ServiceModel
Add-Type -AssemblyName System.ServiceModel
# Load the required .NET assemblies
[System.Reflection.Assembly]::LoadWithPartialName("System.ServiceModel")
# Create a NetNamedPipeBinding object
$binding = New-Object System.ServiceModel.NetNamedPipeBinding
# Define the endpoint address
$endpointAddress = "net.pipe://localhost/MakeMeAdmin/Service"
# Create a channel factory to communicate with the service
$channelFactory = New-Object 'System.ServiceModel.ChannelFactory[SinclairCC.MakeMeAdmin.IAdminGroup]' -ArgumentList $binding, $endpointAddress
# Create a channel using the channel factory
$channel = $channelFactory.CreateChannel()
# Call the AddUserToAdministratorsGroup method on the channel
$channel.AddUserToAdministratorsGroup()
# Close the channel factory
$channelFactory.Close()
Re-opening this, because it sounds like a good idea. Get-AdminRights or something?
I've created something similar for our use case, also using PowerShell. Basically it enters the current user as a possible candidate for MakeMeAdmin, but it is secured by the Windows Local Admin Password Solution (LAPS) by Microsoft.
An admin/supporter basically needs to provide the LAPS-password. Afterwards MakeMeAdmin can be invoked, the current user is provided with administrative permissions and the support task can be done with the user entering her password if needed for the configured period. Afterwards, MakeMeAdmin removes the administrative rights and the user again, so no administrative permissions remain on the system.
Edit: Changing link to MS to the English one.
Edit2: Just realizing, that the code above by @jwal-d-velop (thank you for this!) gives the user administrative permissions ~~, with no security checks at all (which my code should have prevented, using the LAPS-solution as a gatekeeper).~~ So whenever MakeMeAdmin is installed, you can simply make this user admin (edit3: →) if not configured correctly (edit3: end). ~~Oh boy, another solution unusable for us, as it becomes a big security hole for our use case.~~
Edit3: After some testing it turns out, that MakeMeAdmin (thanks God! ;-)) provides already the methods to prevent this. If you set the Allowed Entities entry in the registry to an empty value, the code above won't work, as expected. @pseymour obviously gave it some thought before implementing it. Thank you for this tool!
@taffit you could try a different approach for that. Don't have MakeMeAdmin installed all the time. So only if you grant a specific user access to it, it will be installed by your software distribution
@itbs-technology Thank you for the suggestion. You're right, that could be a possible approach. I just retested with different settings and found out, that if you set the Allowed Entities-setting as empty previously, the code won't make you admin. So the solution I'm using, which basically builds on this (once the LAPS-password is provided, the current user is entered in the allowed entities and can then invoke MakeMeAdmin to do its magic; using the script from @jwal-d-velop is then even easier than my solution) can be used again. Puh, I was sweating a little bit ;-) .
I will adjust my answer above.
Thanks to @jwal-d-velop example, I have created a PowerShell scripts and published on https://github.com/tkouba/MakeMeAdminPowerShell. Feel free to review them.
