Script to grant admin and then remove it after a designated time
Hi, I'm new to all of this but have been asked by my manager to start to learn how to write config scripts for KACE. What I would like to write is a script I can run on any computer on the domain that will grant administrator permissions. But then wait and after a designated time, say 1.5 hours; remove admin from the same computer automatically. I would also like to be able to change this 'wait' time if necessary for longer tasks to say 4hours. Possibly I will need two scripts
Any help would be appreciated,
Thanks,
Marc
2 Comments
[ + ] Show comments
Answers (1)
Please log in to answer
Posted by:
SMal.tmcc
7 years ago
I am guessing you want to do this for the current logged in user? To make anyone else or a group an admin just requires a GPO.
For the current logged in user we do this with 2 scripts.
One to grant and one to revoke. It requires a reboot to make the change.
This is the shell script to add current user
For the current logged in user we do this with 2 scripts.
One to grant and one to revoke. It requires a reboot to make the change.
This is the shell script to add current user
wmic computersystem get username /format:list > C:\ProgramData\Dell\KACE\user\Cuser.txt
for /f "tokens=2 delims== skip=2" %%G in ('type C:\ProgramData\Dell\KACE\user\Cuser.txt') DO net localgroup administrators /add %%G
del C:\ProgramData\Dell\KACE\user\Cuser.txt /q
shutdown -r -t 10
This is the shell script to delete the current user
wmic computersystem get username /format:list > C:\ProgramData\Dell\KACE\user\Cuser.txt
for /f "tokens=2 delims== skip=2" %%G in ('type C:\ProgramData\Dell\KACE\user\Cuser.txt') DO net localgroup administrators /delete %%G
del C:\ProgramData\Dell\KACE\user\Cuser.txt /q
shutdown -r -t 10
Comments:
-
Yes we already have scripts to run to both grant and the remove. The problem is; often we forget to go back and remove admin. What I'm trying to do is grant and then after a set time, remove. I intend to make two scripts that can be 'run now' under scripting; one that grants and then removes after 1.5 hours, the second one, grants and removes after 4 hours. The second one is to allow more time for the lengthy install of our software locally on the computer. The first one is only for small tasks like installing a printer driver or similar.
Thanks for your input - MarcatY@rdi 7 years ago -
Thanks for the above info. I I have a case script in place now that works to both add and then remove admin, unless the user reboots. Previously I mentioned that the second script will use ksleep (thanks for that; it was in one of your previous posts) to pause for 4 hours to allow the user to install our software. The problem is, this install requires several reboots; and any reboot between granting permissions and then removing them, breaks the combined scripts. - MarcatY@rdi 7 years ago
-
since you need to do reboots I suggest using schtasks.exe to create a scheduled task that will run the delete script as a batch file. https://msdn.microsoft.com/en-us/library/windows/desktop/bb736357(v=vs.85).aspx Create a one time task - SMal.tmcc 7 years ago
-
Thanks again! Schtasks I put in after kesleep. It looks like there are a lot of switches to try and figure out what I need. I have a 'working script now that does what I want but I need a forced reboot after admin is granted then some wild card or whatever to make it continue where it left off - MarcatY@rdi 7 years ago
-
my shell script has a reboot in it, The best thing to do is poke the run once to run a batch file after the reboot to do anything you want after that to happen.
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v somename /d "C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\###\somefile.bat" - SMal.tmcc 7 years ago
Yes that could work, but again 'm new to all of this, but I understand when you somefile.exe to represent the name of the file but near the end of the command you put ### what is that for? - MarcatY@rdi 7 years ago