In this article, we discuss how to grant users simple admin rights temporarily like installing software. This helps keep IT from getting bogged down.
One of the more frequent conflicts between an IT department and an end user is the use of administrative privileges. End users are used to having this permission on their personal devices, which easily allows them to perform functions that require admin rights like installing software. In many organizations that do not have a self-service for installing software, this becomes troublesome since end users will have to ask for IT to install software for them.
Of course, in an organization, it is insecure to have an end user operating Windows always under administrative privileges at all times, due to the fact that it exposes phishing and malware to more easily creep its way in. For this reason, having a method to temporarily give admin rights to an end user can be a good idea. One solution for this is the Make Me Admin application. Make Me Admin grants admin rights to non-admin Windows users temporarily and then remove those rights when the period of time is up.
As with most Windows third-party software, you can download the installer from the Make Me Admin website here, or by using Chocolatey. Since I am a huge Chocolatey advocate; I will show how to do this here:
PS C:\> choco install makemeadmin -y
Chocolatey v0.10.15 Business
2 validations performed. 1 success(es), 1 warning(s), and 0 error(s).
Installing the following packages:
By installing you accept licenses for the packages.
Progress: Downloading makemeadmin 2.3... 100%
makemeadmin package files install completed. Performing other installation steps.
Installing 64-bit MakeMeAdmin 2.3.0 x64.msi...
MakeMeAdmin 2.3.0 x64.msi has been installed.
makemeadmin may be able to be automatically uninstalled.
The install of makemeadmin was successful.
Software install location not explicitly set, could be in package or
default install location if installer.
Chocolatey installed 1/1 packages.
See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
At this point if I search for “make me admin” in Windows, I can see it:
If I open Make me Admin it will bring up a window and if I am not an administrator already, will allow me to choose “Grand Me Administrator Rights”.
Configuring Make Me Admin
One of the prerequisites for using Make Me Admin, is that UAC (User Account Control) must be enabled at least partially in Windows for the application to work.
To control Make Me Admin settings, the installation comes with Group policy templates that can be used. For instance, the timeout for admin rights before being removed is 10 minutes by default, but this can be changed with the “Admin Rights Timeout” setting.
Other settings of interest would be what entities to allow or deny for the application, which are listed by the SID of the account. In addition, syslog settings so that logs are sent to a syslog server.
One interesting behavior I observed was that when the service for Make me Admin is stopped, any current admin rights granted are removed, which is a great feature.
Testing It Out
To test it out, I have granted my user account access, if I double click on something that would prompt UAC (User Account Control) such as opening cmd as administrator; I am prompted for credentials, which is normal.
After entering my login credentials the process runs, proving the Make Me Admin application did its job. I can verify this by looking at the local administrator's group in PowerShell but also the Make Me Admin application writes this change to the event log.
PS C:\> Get-LocalGroupMember -Group Administrators -Member DOMAIN\dfrancis
ObjectClass Name PrincipalSource
----------- ---- ---------------
User DOMAIN\dfrancis ActiveDirectory
In an enterprise setting, end users should never be in the local administrators group, which is a basic Windows security fact. The problem with this is, of course, end users sometimes do want to install software (if the organization allows that). The Make Me Admin application provides a great way to allow this without giving end users the keys to the kingdom. For organizations who want to give end users a bit more control, this solution is great.