Granting admin rights via script

[exman2k5]

Hello, can anyone help me. Is there any way to have a script temporarily grant admin rights to a user till next logoff and possibly have the script automatically deleted after it has executed?

Here is a little background:

I created a laptop image which has HP printer drivers preinstalled. We are now seeing a problem with our remote users being prompted to install the printer drivers again which requires admin rights (they only have power user rights). The problem seems to be that each individual printer has a hard coded id which is linked to the usb vendor and device id. So the original printer used to create the image can connect fine to any laptop with the image but any other printer is seen as a new device and prompts to user to install new hardware and software. We are trying to avoid giving ths users the admin details to reinstall the drivers. I have already tested disabling the serial number check in the usbflags key in the registry but am still gettin a prompt. Thanks for any help.

 

[exman2k5]

Anyone, please?

 

[exman2k5]

I found this script which adds a network user to the local admin group, can anyone assist in editing it to perform the task i need? thanks

Set oWshNet = CreateObject("WScript.Network")
Set oFSO = CreateObject("Scripting.FileSystemObject")
set WSHShell = wscript.createObject("wscript.shell")

sUser = InputBox("Enter user name on network")
If sUser = "" Then
WScript.Echo "No user input, aborted"
WScript.Quit
End If

tmp = InputBox("Enter 1 to Give rights or 2 to Remove rights")
If tmp = "" Then
WScript.Echo "No user input, aborted"
WScript.Quit
End If

If tmp=1 then
'open the data file
Set oTextStream = oFSO.OpenTextFile("wslist.txt")

'make an array from the data file
RemotePC = Split(oTextStream.ReadAll, vbNewLine)

'close the data file
oTextStream.Close

For Each strComputer In RemotePC

sNetBIOSDomain = oWshNet.UserDomain

Set oGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
Set oUser = GetObject("WinNT://" & sNetBIOSDomain & "/" & sUser & ",user")

' suppress errors in case the user is already a member
On Error Resume Next

oGroup.Add(oUser.ADsPath)

Next

wscript.echo "Rights Given"

else

'open the data file
Set oTextStream = oFSO.OpenTextFile("wslist.txt")

'make an array from the data file
RemotePC = Split(oTextStream.ReadAll, vbNewLine)

'close the data file
oTextStream.Close

For Each strComputer In RemotePC

sNetBIOSDomain = oWshNet.UserDomain

Set oGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
Set oUser = GetObject("WinNT://" & sNetBIOSDomain & "/" & sUser & ",user")

' suppress errors in case the user is already a member
On Error Resume Next


oGroup.Remove(oUser.ADsPath)

Next

wscript.echo "Rights Taken away"

End If

Next create a text file named wslist.txt with workstation names ie:

workstaiton01
workstation02
workstation03
workstation04
workstation05
workstation06

Then just run the script. It will prompt for network user name

Then it will prompt to add user or remove user from local admin group.
Then it will confirm User was added or removed

 

[mrmovie]

i guess you need to know which users you want to grant admin rights to which machines???
or do you just want to add 'Everyone' group to the local admin group?

ifyou go with the method suggested above then you will need to do 2 things i think

1. run the above script centrally with a user account which has admin rights to all your machines. this will require your machines to be on at the time you run it

2. have a logoff script which removes the user account, this shouldnt pose a problem


have you considered giving users the required rights to be able to add printers? thus eliminating the issue altogether

 

[exman2k5]

mrmovie thanks for replying. the script i posted was an example; somewhere in that script the user is granted admin rights to the local pc. My problem is that these are laptops to which we have no access and dont know the pc names so the idea is to grant the logged on user admin rights temporarily. Hopefully the script will be emailed out to the users and they can run it to install the printer. The printer driver itself install extra management software so granting them rights to load drivers wont be enough. Is that doable?

 

[mrmovie]

if the user who is running the script does not have admin rights then i would hope for windows securities sake it would not be possible.

i am not much of a hacker so all i can say is that you will probably need one of the following if you want to stick with a scripted solution:

1. the local administrator password for the machine
2. a domain account which has admin rights to the machine

### if you want to try and get away from scripting for sec then you might consider AD GPO to do something with elevated priv? or you might consider creating an MSI to run with elevated priv?

### seeing as you mentioned images then i guess we can talk about builds? you might consider leaving all users as being local Admins until a certain time? you might consider having a RunOnce or Run key in .Default user which waits for a couple of reboots? i guess taht would depend on when the user first loads and machine and if the printer is there on first or third reboot

 

[EBGreen]

So you want to email them a script that runs with elevated rights to install software? Isn't that the definition of a virus?

I would suggest searching this forum for "RunAs". It is the only way that I can think of to solve this in a script. YOu could also look at creating an MSI to do what you need done and having it run with elevated rights.

[red]"... isn't sanity really just a one trick pony anyway?! I mean, all you get is one trick, rational thinking, but when you are good and crazy, oooh, oooh, oooh, the sky is the limit!" - The Tick[/red]

 

[exman2k5]

Guys, thanks for the responses. Let me clarify a bit:

Our users have Windows XP laptops with drivers for a HP officejet installed. The original printer used to create the image, when connected to the laptop does not prompt for drivers to be installed regardless of the user who is logged on.

The users have now received new printers, same make and model. When they connect them to the laptop they are prompted to install drivers again. This happens even if the admin is logged on. (Tested with a new printer myself)

The problem is when the users are logged on the drivers will try to install then will prompt for admin credentials. These rights are needed to install the HP Director software not the normal print drivers.

So i was asking if it is possible to have a script run that will elevate the users rights before plugging in the printer and have the printer complete its install then after a reboot elevated rights are removed.

After searching for RunAs as TomThumbKP suggested i think a more appropriate question would be how to create a script to add the logged on users account to the admin group and then remove it afterwards. I really appreciate your answers but i have to say i know nothing about writing scripts.

Thanks for your help so far

 

[mrmovie]

there are plenty of examples of adding user accounts to groups. you have presented one in your earlier post.

the heart of the matter is that in order to run the script successfully the context in which it is run needs to have admin rights....