"Escalation-only" AD Accounts?

Posted by blackBoxing@reddit | sysadmin | View on Reddit | 29 comments

So if I have a group of users who should be able to occasionally execute programs as Administrator, but who I do not want to just log in as admin every day, I have thought of making a second account for them. So user "jdoe" would be a regular user, but "jdoe-a" would have Administrator rights. The thinking is that you could not log into a machine as "jdoe-a", but you can log in as "jdoe" and when it prompts for an Administrator password to escalate privileges for something, the user could think first and then enter "jdoe-a" credentials if appropriate. Is this advisable? How can I accomplish this with AD Users and Computers and/or Group Policy? Thank you

Reply to Post

29 Comments

[-]

Phyxiis@reddit

A previous company I worked for we have specific orders an admin account (via manager request), the user has to log in as that account once to create the profile, but on login of that account there was some scripts or process that automatically logged them out after logging. Idk how they did it, most likely powershell

[-]

pertymoose@reddit

We give everyone a domain user and a domain local admin account for their particular device. The admin account is disabled by default but can be enabled for a day via a website. We have too many remote techs all over the country that may need to be able to install something at some point.

[-]

homing-duck@reddit

Why do they need to log on as an administrator. We have a few applications that need to be upgraded regularly, and stop functioning when there is an update available. To fix this (as the users are in a different time zone), we use admin by request, and then allow these users to run c:\\program files\\some app\\app\_update.exe (signed by specific digital certs) as an administrator. When the users run this app, they will be prompted if they want to run it as an administrator. Then it will run just that application as an admin. Admin by request is free for 10 users.

[-]

BishCr@reddit

My org recently began using an open source tool called MakeMeAdmin. You use your regular account but can elevate it temporarily on demand. https://github.com/pseymour/MakeMeAdmin

[-]

CynicalTree@reddit

What's the use case? If it's just for software installs on a domain joined device, then a second account makes sense, you won't be able to disable them using it to logon to the device though, UAC prompts count as a local logon. If it's not that frequent, you could look at something like Microsoft LAPS. It rotates the localadmin password daily, so that admins can give out the credential to staff and it'll only work for that day.

[-]

blackBoxing@reddit (OP)

I want the managers to always have the ability to escalate stuff to Administrator rights. I guess my question is how to disable the administrator account from being logged into and just used like a normal account.

[-]

ArsenalITTwo@reddit

The Managers are doing what with their admin rights?

[-]

CynicalTree@reddit

Afaik, UAC Elevation runs the elevated application in the user space of the privileged account, so it has to log into the device. You can 'deny local logon' for the account but it would also prevent elevating software. This link seems to back that up [https://community.spiceworks.com/topic/2478589-active-directory-user-account-to-do-admin-tasks-but-not-allow-login](https://community.spiceworks.com/topic/2478589-active-directory-user-account-to-do-admin-tasks-but-not-allow-login) I did see an interesting idea in there. You can set a GPO to run logoff.exe on startup for the privileged account, which wouldn't apply for stuff like UAC elevations. [https://www.authlite.com/kb/allow-runas-but-block-interactive-logon/](https://www.authlite.com/kb/allow-runas-but-block-interactive-logon/) I've never tried that so YMMV. In my environments, staff with access to second accounts were just trusted not to use them, and they don't didn't have the same file server access as the main accounts.

[-]

blackBoxing@reddit (OP)

Thanks for this. What do you think about "requiring" a non-existent [smart card](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory) for interactive login? Would that work? Would that also disable elevation?

[-]

CynicalTree@reddit

I think the same issue would apply. UAC supports smart cards and would prompt for it. If you're not wanting to purchase anything else, probably the simplest option is to inform the account holders' that it's only used for elevation, and restrict the account's access in terms of file servers (e.g: If each staff member has a homedrive, don't give the -a account access to the homedrive) Otherwise if you need it to be real secure, you might want to look at JIT (just in time) solutions, or you could setup a real smartcard for those accounts, and do something like disabling the smartcard service until logon (manual start service -> scheduled task at logon)

[-]

ArsenalITTwo@reddit

Make individual admin accounts. It's what larger companies with segregation of duties do. No user is admin on their regular account. They have to bounce into a Jump RDSH Host with their admin account to do admin-y things.

[-]

Ape_Escape_Economy@reddit

ConnectWise control has a feature that does exactly this (requests for escalation).

[-]

rthonpm@reddit

We configure admin accounts so that they can't open web browsers or email clients. It's a fairly effective method for preventing people from using them for daily tasks.

[-]

VariationTrue5493@reddit

For techs we have them use an a account that has delegate access for some ad OU’s but they use laps for uac prompts on computers that are not theirs. For those saying they have an A account for their domain but it does not have azure access do you then have an AA account for azure admin? I struggled with this but eventually relented to my admin account is used on a dedicated computer PAW computer never logged in to any other computer but it has internet access to admin various cloud products as well as local AD. Looking to see what others do for local ad admin and admin of various cloud products.

[-]

AhmedBarayez@reddit

In my company no user have admin privileges, I have a local user admin created previously after windows installation, and i use run as to run apps that need admin privileges

[-]

The-Jesus_Christ@reddit

LAPS is integrated a lot better now. Use that rather than provide them with an admin account.

[-]

Sow-pendent-713@reddit

I don’t allow any account that has an email address to have admin rights. So they should have a separate account for admin needs, The way you mention is good enough until you get to the point where you want to use PIM or PAM

[-]

idylwino@reddit

What sort of application? Is it local to the machine, or is it AD aware and needs privileged access to provide proper output?

[-]

blackBoxing@reddit (OP)

What I mean is an AD user, not a local admin. So the only users who would also have a "-a" account would be managers. If a normal employee need to, say, install a program or connect to a file server, then they could ask their manager to come type "jdoe-a" into the escalation prompt (if they approve of the action).

[-]

idylwino@reddit

You seem to be referring to admin accounts for support? That's usually best practice. For example, the domain admins have a "root" account that we use to perform admin duties. These accounts don't have mailbox and don't sync to Azure. We use them to access admin consoles, run ADUC, make NTFS permission changes to share and hit local admin shares if necessary. We also deploy a local admin account on each machine specifically for situations where software needs to be installed on a user's machine or something needs to happen that requires elevated privileges. The local admin account is shared among desktop support.

[-]

TransporterError@reddit

Yep, all of our IT folks have both a “standard” and “privileged” account. Keeps things clean and simple.

[-]

DrummerElectronic247@reddit

Just deny interactive logon for the escalated accounts. GPO can do that easily enough. Then they *Can't* log on as adminstrators. Alternatively implement LAPS and solve the issue permanently.

[-]

Cooleb09@reddit

EPM softwares may be what your after? or potentialy the new ntune device admin PIM functions.

[-]

RagnarTheRagnar@reddit

[https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747) New LAPS. Or you can still make basic local admin accounts that supply admin only to the local device. What program do they need to run as a admin on occasion? Does this app truly need admin rights? You could hit it with a touch of LUA Buglight to sort it out permission issues: [https://techcommunity.microsoft.com/t5/windows-blog-archive/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/ba-p/701459](https://techcommunity.microsoft.com/t5/windows-blog-archive/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/ba-p/701459) I do not trust the managers with admin permissions. They would need to give me a business justification as to why they require it.

[-]

Vikkunen@reddit

We did this at a place I used to work. Laptop users had a USER-ADMIN account in addition to their standard account. USER-ADMIN had no access provisioned to it so it was fairly useless as a standalone login, but deployment techs manually added it to the Administrators group on the laptop when they were deploying it. Pitfalls to be aware of is that unless the machine has line-of-sight to AD, the admin credential needs to be signed in once beforehand to cache itself. It's also an extra login for people to forget, so that's cool, and occasionally your techs might forget to add it to the admin group. Oops.

[-]

blackBoxing@reddit (OP)

I can add each manager's "-a" account to the Administrators group in all computers under their "command" via script. What I really want to know is what specifically you mean by "USER-ADMIN had no access provisioned to it so it was fairly useless as a standalone login" and how you set that up, because if I'm understanding you the way I think then you may have solved my problem.

[-]

Vikkunen@reddit

I mean just that. USER-ADMIN is just an account. It doesn't have a mailbox, it doesn't have an Office or Adobe license, it's not scoped to be able to access any file shares, etc. You can sign into the machine with it (although you could also restrict it from doing that if you really wanted), but you'll have to jump through a bunch of hoops to actually use it to access any company resources.

[-]

blackBoxing@reddit (OP)

Thanks for the idea.

[-]

doweactuallycare@reddit

LAPS Unless you want to make a bunch of accounts rife for sharing with little trackability on whos actually using them AND they have open admin access to a ton of devices in your environment? Why not LAPS and local admin accounts with permissions setup for people who need permission to that stuff?