<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

Using Make Me Admin for Administrator Privilege

Dan Franciscus| July 12 2019

| security, IT insights, Sysadmin

using-make-me-admin-for-administrator-privilege

In this article, we discuss how to grant users simple admin rights temporarily like installing software. This helps keep IT from getting bogged down.

One of the more frequent conflicts between an IT department and an end user is the use of administrative privileges. End users are used to having this permission on their personal devices, which easily allows them to perform functions that require admin rights like installing software. In many organizations that do not have a self-service for installing software, this becomes troublesome since end users will have to ask for IT to install software for them.

Of course, in an organization, it is insecure to have an end user operating Windows always under administrative privileges at all times, due to the fact that it exposes phishing and malware to more easily creep its way in. For this reason, having a method to temporarily give admin rights to an end user can be a good idea. One solution for this is the Make Me Admin application. Make Me Admin grants admin rights to non-admin Windows users temporarily and then remove those rights when the period of time is up.

Installing Makemeadmin

As with most Windows third-party software, you can download the installer from the Make Me Admin website here, or by using Chocolatey. Since I am a huge Chocolatey advocate; I will show how to do this here:

PS C:\> choco install makemeadmin -y

Chocolatey v0.10.15 Business

2 validations performed. 1 success(es), 1 warning(s), and 0 error(s).

Installing the following packages:

makemeadmin

By installing you accept licenses for the packages.

Progress: Downloading makemeadmin 2.3... 100%




makemeadmin v2.3

makemeadmin package files install completed. Performing other installation steps.

Installing 64-bit MakeMeAdmin 2.3.0 x64.msi...

MakeMeAdmin 2.3.0 x64.msi has been installed.

  makemeadmin may be able to be automatically uninstalled.

 The install of makemeadmin was successful.

  Software install location not explicitly set, could be in package or

  default install location if installer.




Chocolatey installed 1/1 packages.



See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

At this point if I search for “make me admin” in Windows, I can see it:

makemeadmin5

If I open Make me Admin it will bring up a window and if I am not an administrator already, will allow me to choose “Grand Me Administrator Rights”.

make me admin 2

Configuring Make Me Admin

One of the prerequisites for using Make Me Admin, is that UAC (User Account Control) must be enabled at least partially in Windows for the application to work.

To control Make Me Admin settings, the installation comes with Group policy templates that can be used. For instance, the timeout for admin rights before being removed is 10 minutes by default, but this can be changed with the “Admin Rights Timeout” setting.

Other settings of interest would be what entities to allow or deny for the application, which are listed by the SID of the account. In addition, syslog settings so that logs are sent to a syslog server.

One interesting behavior I observed was that when the service for Make me Admin is stopped, any current admin rights granted are removed, which is a great feature.

Testing It Out

To test it out, I have granted my user account access, if I double click on something that would prompt UAC (User Account Control) such as opening cmd as administrator; I am prompted for credentials, which is normal.

make me admin 3

After entering my login credentials the process runs, proving the Make Me Admin application did its job. I can verify this by looking at the local administrator's group in PowerShell but also the Make Me Admin application writes this change to the event log.

PS C:\> Get-LocalGroupMember -Group Administrators -Member DOMAIN\dfrancis

ObjectClass Name              PrincipalSource

----------- ----              ---------------

User        DOMAIN\dfrancis ActiveDirectory

Summary

In an enterprise setting, end users should never be in the local administrators group, which is a basic Windows security fact. The problem with this is, of course, end users sometimes do want to install software (if the organization allows that). The Make Me Admin application provides a great way to allow this without giving end users the keys to the kingdom. For organizations who want to give end users a bit more control, this solution is great.

 

Topics: security, IT insights, Sysadmin

Leave a Reply

Your email address will not be published. Required fields are marked *

THIS POST WAS WRITTEN BY Dan Franciscus

Dan Franciscus is a systems engineer and VMware Certified Professional (VCP) specializing in VMware, PowerShell, and other Microsoft-based technologies. You can reach Dan at his blog (http://www.winsysblog.com/) or Twitter at @dan_franciscus.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.