Invoke - Add Current User to Temporary Administrators - Windows
Log In or Register to download the BES file, and more.

1 Votes

Versioning - This is the latest version.

1Invoke - Add Current User to Temporary Administrators - Windows9/14/2016 10:22:28 PM
2Invoke - Add Current User to Temporary Administrators - Windows5/2/2017 7:24:54 AM

Description

This Fixlet grants a user administrative rights and creates a store of users with their expirations dates/times.

This fixlet by itself does not remove their administartive rights when the expiration time passes. Removing their access requires the, "Invoke - Remove Expired Users from Temporary Administrators - Windows" fixlet to be run as a policy action.

For general information or to report issues with C3 Inventory content please visit GitHub here: https://github.com/strawgate/C3-Inventory


Property Details

ID24155
TitleInvoke - Add Current User to Temporary Administrators - Windows
DomainBESC
CategoryTemporary Administrative Rights
SourceInternal
Source Release Date4/25/2016 12:00:00 AM
Added by on 5/2/2017 7:24:54 AM
Last Modified by on 5/2/2017 7:24:54 AM
Counters 1606 Views / 78 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 1172)
Used in 1119 fixlets and 527 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 22 fixlets   * Results in a true/false
Show indented relevance
exists logged on user
Used in 15 fixlets   * Results in a true/false
Show indented relevance
/* exclude Built-In Administrator */ component string of sid of logged on user does not start with "S-1-5-21-" or component string of sid of logged on user does not end with "-500"
Used in 6 fixlets   * Results in a true/false
Show indented relevance
not exists elements of intersection of ( /*IS THE LOGGED IN USER AN ADMINISTRATOR? */ set of ( /* User's SID and Group Memberships */ ((sids of groups of logged on user of active directory) as string); /*User Group Memberships */ (sid of logged on user) as string /*Users SID*/ );( set of (/*Users and Groups in Administrators */ sids of members of local group "administrators" as string) ) )

Actions

Action 1 (default)

Action Link Click here to grant the current user administrative rights for 1 hour.
Script Type BigFix Action Script
parameter "SIDS"="{component strings of sid of logged on user}"
parameter "TimeStamp"="{now}"
parameter "Start"="{now}"
parameter "Expiration"="{now + 1*hour}"
parameter "Switches"="-Grant -Admin"

parameter "PowerShellExe"="{ pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) }"

delete __createfile
delete rightshandler.ps1

createfile until _end_
param (
$SIDS,
$TimeStamp,
$Start,
$Expiration,
[switch]$Grant,
[switch]$Revoke,
[switch]$Admin,
[switch]$Requestor
)

function write-log {{
param (
$Message,
[ValidateSet("Verbose","Grant","Revoke")]
$Type = "Verbose"
)

if ($Type -like "Verbose") {{ $ID = 1337; $EntryType = "Information" }
if ($Type -like "Grant") {{ $ID = 1338; $EntryType = "Information" }
if ($Type -like "Revoke") {{ $ID = 1339; $EntryType = "Information" }

New-EventLog -LogName "C3 Temporary Administrative Rights" -Source "Rights Handler" -ErrorAction SilentlyContinue
# Limit-EventLog -LogName "C3 Temporary Administrative Rights" -Retention 28 -ErrorAction SilentlyContinue

write-verbose $Message
write-eventlog -logname "C3 Temporary Administrative Rights" -source "Rights Handler" -eventID $ID -EntryType $EntryType -message "$Message"
}


function new-registrystructure {{
param (
$Path
)
if (!(test-path $Path)) {{ new-item $Path -force -ErrorAction SilentlyContinue | out-null}

return "$Path"
}

if ($env:PROCESSOR_ARCHITECTURE -eq "amd64") {{
$SoftwareROOT = "HKLM:\Software\Wow6432Node\C3 Inventory"
} else {{
$SoftwareROOT = "HKLM:\Software\C3 Inventory"
}

$Store = @{{
"Temporary Administrative Rights Root" = "$SoftwareROOT\Temporary Administrative Rights";

"Authorized Requestors Root" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors";
"Current Authorized Requestors" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors\Current";
"Expired Authorized Requestors" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors\Expired";

"Administrators Root" = "$SoftwareROOT\Temporary Administrative Rights\Administrators";
"Current Administrators" = "$SoftwareROOT\Temporary Administrative Rights\Administrators\Current";
"Expired Administrators" = "$SoftwareROOT\Temporary Administrative Rights\Administrators\Expired";
}

#Build Registry Store
foreach ($Item in $Store.GetEnumerator()) {{ new-registrystructure -Path $Item.Value | out-null }

function get-UserFromSID {{
param (
$SID
)
$objSID = New-Object System.Security.Principal.SecurityIdentifier($SID)
$objName = $objSID.Translate( [System.Security.Principal.NTAccount])

return $objName.Value
}

foreach ($SID in $SIDS.split(";")){{

$UserWithDomain = get-UserFromSID $SID

if ($Grant -and $Requestor) {{
write-log "Granting Authorized Requestor to $UserWithDomain with SID: $SID" -Type Grant

$NewAuthorizedRequestor = new-registrystructure -Path "$($Store.'Current Authorized Requestors')\$SID"

New-ItemProperty $NewAuthorizedRequestor -Name "Username" -Value $UserWithDomain -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAuthorizedRequestor -Name "Start" -Value $Start -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAuthorizedRequestor -Name "Expiration" -Value $Expiration -ErrorAction SilentlyContinue | out-null
}

if ($Revoke -and $Requestor) {{
write-log "Revoking Authorized Requestor from $UserWithDomain with SID: $SID" -Type Revoke

# Create \Expired Authorized Requestors\SID\TimeStamp
$CurrentAuthorizedRequestor = "$($Store.'Current Authorized Requestors')\$SID"
$ExpiredAuthorizedRequestor = new-registrystructure -Path "$($Store.'Expired Authorized Requestors')\$SID"

#Copy All Attributes from \Current Authorized Requestors\SID to \Expired Authorized Requestors\SID\Timestamp
Move-Item -Path $CurrentAuthorizedRequestor -Destination "$ExpiredAuthorizedRequestor\$Timestamp" -ErrorAction SilentlyContinue | out-null

#Add a Revocation time in \Expired Authorized Requestors\SID\Timestamp
New-ItemProperty "$ExpiredAuthorizedRequestor\$Timestamp" -Name "Revoked" -value "$TimeStamp" -ErrorAction SilentlyContinue | out-null
}

if ($Admin -and $Grant) {{
write-log "Granting Administrative Rights to $UserWithDomain with SID: $SID" -Type Grant

#Add User to Current Temp Admins
$NewAdministrator = new-registrystructure -Path "$($Store.'Current Administrators')\$SID"

#Log User's Temporary Administrator Access
New-ItemProperty $NewAdministrator -Name "Username" -Value $UserWithDomain -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAdministrator -Name "Start" -Value $Start -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAdministrator -Name "Expiration" -Value $Expiration -ErrorAction SilentlyContinue | out-null

#Grant User Administrative Access
& net localgroup "administrators" "$UserWithDomain" /add
}

if ($Admin -and $Revoke) {{
write-log "Revoking Administrative Rights from $UserWithDomain with SID: $SID" -type Revoke

#Revoke User's Administrative Access
& net localgroup "administrators" "$UserWithDomain" /delete

$CurrentAdministrator = "$($Store.'Current Administrators')\$SID"
$ExpiredAdministrator = new-registrystructure -Path "$($Store.'Expired Administrators')\$SID"

#Copy from Current and add timestamp+revoke time
Move-Item -Path $CurrentAdministrator -Destination "$ExpiredAdministrator\$Timestamp" -ErrorAction SilentlyContinue | out-null

New-ItemProperty "$ExpiredAdministrator\$Timestamp" -Name "Revoked" -value "$TimeStamp" -ErrorAction SilentlyContinue
}

}
_end_

move __createfile rightshandler.ps1

waithidden "{parameter "PowershellExe"}" -ExecutionPolicy Bypass -File "rightshandler.ps1" -SIDS "{parameter "SIDS"}" -TimeStamp "{parameter "TimeStamp"}" -Start "{parameter "Start"}" -Expiration "{parameter "Expiration"}" {parameter "Switches"}
Success Criteria

This action will be considered successful when all lines of the action script have completed successfully.

Action 2

Action Link Click here to grant the current user administrative rights for 8 hours.
Script Type BigFix Action Script
parameter "SIDS"="{component strings of sid of logged on user}"
parameter "TimeStamp"="{now}"
parameter "Start"="{now}"
parameter "Expiration"="{now + 8*hour}"
parameter "Switches"="-Grant -Admin"

parameter "PowerShellExe"="{ pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) }"

delete __createfile
delete rightshandler.ps1

createfile until _end_
param (
$SIDS,
$TimeStamp,
$Start,
$Expiration,
[switch]$Grant,
[switch]$Revoke,
[switch]$Admin,
[switch]$Requestor
)

function write-log {{
param (
$Message,
[ValidateSet("Verbose","Grant","Revoke")]
$Type = "Verbose"
)

if ($Type -like "Verbose") {{ $ID = 1337; $EntryType = "Information" }
if ($Type -like "Grant") {{ $ID = 1338; $EntryType = "Information" }
if ($Type -like "Revoke") {{ $ID = 1339; $EntryType = "Information" }

New-EventLog -LogName "C3 Temporary Administrative Rights" -Source "Rights Handler" -ErrorAction SilentlyContinue
# Limit-EventLog -LogName "C3 Temporary Administrative Rights" -Retention 28 -ErrorAction SilentlyContinue

write-verbose $Message
write-eventlog -logname "C3 Temporary Administrative Rights" -source "Rights Handler" -eventID $ID -EntryType $EntryType -message "$Message"
}


function new-registrystructure {{
param (
$Path
)
if (!(test-path $Path)) {{ new-item $Path -force -ErrorAction SilentlyContinue | out-null}

return "$Path"
}

if ($env:PROCESSOR_ARCHITECTURE -eq "amd64") {{
$SoftwareROOT = "HKLM:\Software\Wow6432Node\C3 Inventory"
} else {{
$SoftwareROOT = "HKLM:\Software\C3 Inventory"
}

$Store = @{{
"Temporary Administrative Rights Root" = "$SoftwareROOT\Temporary Administrative Rights";

"Authorized Requestors Root" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors";
"Current Authorized Requestors" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors\Current";
"Expired Authorized Requestors" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors\Expired";

"Administrators Root" = "$SoftwareROOT\Temporary Administrative Rights\Administrators";
"Current Administrators" = "$SoftwareROOT\Temporary Administrative Rights\Administrators\Current";
"Expired Administrators" = "$SoftwareROOT\Temporary Administrative Rights\Administrators\Expired";
}

#Build Registry Store
foreach ($Item in $Store.GetEnumerator()) {{ new-registrystructure -Path $Item.Value | out-null }

function get-UserFromSID {{
param (
$SID
)
$objSID = New-Object System.Security.Principal.SecurityIdentifier($SID)
$objName = $objSID.Translate( [System.Security.Principal.NTAccount])

return $objName.Value
}

foreach ($SID in $SIDS.split(";")){{

$UserWithDomain = get-UserFromSID $SID

if ($Grant -and $Requestor) {{
write-log "Granting Authorized Requestor to $UserWithDomain with SID: $SID" -Type Grant

$NewAuthorizedRequestor = new-registrystructure -Path "$($Store.'Current Authorized Requestors')\$SID"

New-ItemProperty $NewAuthorizedRequestor -Name "Username" -Value $UserWithDomain -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAuthorizedRequestor -Name "Start" -Value $Start -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAuthorizedRequestor -Name "Expiration" -Value $Expiration -ErrorAction SilentlyContinue | out-null
}

if ($Revoke -and $Requestor) {{
write-log "Revoking Authorized Requestor from $UserWithDomain with SID: $SID" -Type Revoke

# Create \Expired Authorized Requestors\SID\TimeStamp
$CurrentAuthorizedRequestor = "$($Store.'Current Authorized Requestors')\$SID"
$ExpiredAuthorizedRequestor = new-registrystructure -Path "$($Store.'Expired Authorized Requestors')\$SID"

#Copy All Attributes from \Current Authorized Requestors\SID to \Expired Authorized Requestors\SID\Timestamp
Move-Item -Path $CurrentAuthorizedRequestor -Destination "$ExpiredAuthorizedRequestor\$Timestamp" -ErrorAction SilentlyContinue | out-null

#Add a Revocation time in \Expired Authorized Requestors\SID\Timestamp
New-ItemProperty "$ExpiredAuthorizedRequestor\$Timestamp" -Name "Revoked" -value "$TimeStamp" -ErrorAction SilentlyContinue | out-null
}

if ($Admin -and $Grant) {{
write-log "Granting Administrative Rights to $UserWithDomain with SID: $SID" -Type Grant

#Add User to Current Temp Admins
$NewAdministrator = new-registrystructure -Path "$($Store.'Current Administrators')\$SID"

#Log User's Temporary Administrator Access
New-ItemProperty $NewAdministrator -Name "Username" -Value $UserWithDomain -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAdministrator -Name "Start" -Value $Start -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAdministrator -Name "Expiration" -Value $Expiration -ErrorAction SilentlyContinue | out-null

#Grant User Administrative Access
& net localgroup "administrators" "$UserWithDomain" /add
}

if ($Admin -and $Revoke) {{
write-log "Revoking Administrative Rights from $UserWithDomain with SID: $SID" -type Revoke

#Revoke User's Administrative Access
& net localgroup "administrators" "$UserWithDomain" /delete

$CurrentAdministrator = "$($Store.'Current Administrators')\$SID"
$ExpiredAdministrator = new-registrystructure -Path "$($Store.'Expired Administrators')\$SID"

#Copy from Current and add timestamp+revoke time
Move-Item -Path $CurrentAdministrator -Destination "$ExpiredAdministrator\$Timestamp" -ErrorAction SilentlyContinue | out-null

New-ItemProperty "$ExpiredAdministrator\$Timestamp" -Name "Revoked" -value "$TimeStamp" -ErrorAction SilentlyContinue
}

}
_end_

move __createfile rightshandler.ps1

waithidden "{parameter "PowershellExe"}" -ExecutionPolicy Bypass -File "rightshandler.ps1" -SIDS "{parameter "SIDS"}" -TimeStamp "{parameter "TimeStamp"}" -Start "{parameter "Start"}" -Expiration "{parameter "Expiration"}" {parameter "Switches"}
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 3

Action Link Click here to grant the current user administrative rights for 1 day.
Script Type BigFix Action Script
parameter "SIDS"="{component strings of sid of logged on user}"
parameter "TimeStamp"="{now}"
parameter "Start"="{now}"
parameter "Expiration"="{now + 1*day}"
parameter "Switches"="-Grant -Admin"

parameter "PowerShellExe"="{ pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) }"

delete __createfile
delete rightshandler.ps1

createfile until _end_
param (
$SIDS,
$TimeStamp,
$Start,
$Expiration,
[switch]$Grant,
[switch]$Revoke,
[switch]$Admin,
[switch]$Requestor
)

function write-log {{
param (
$Message,
[ValidateSet("Verbose","Grant","Revoke")]
$Type = "Verbose"
)

if ($Type -like "Verbose") {{ $ID = 1337; $EntryType = "Information" }
if ($Type -like "Grant") {{ $ID = 1338; $EntryType = "Information" }
if ($Type -like "Revoke") {{ $ID = 1339; $EntryType = "Information" }

New-EventLog -LogName "C3 Temporary Administrative Rights" -Source "Rights Handler" -ErrorAction SilentlyContinue
# Limit-EventLog -LogName "C3 Temporary Administrative Rights" -Retention 28 -ErrorAction SilentlyContinue

write-verbose $Message
write-eventlog -logname "C3 Temporary Administrative Rights" -source "Rights Handler" -eventID $ID -EntryType $EntryType -message "$Message"
}


function new-registrystructure {{
param (
$Path
)
if (!(test-path $Path)) {{ new-item $Path -force -ErrorAction SilentlyContinue | out-null}

return "$Path"
}

if ($env:PROCESSOR_ARCHITECTURE -eq "amd64") {{
$SoftwareROOT = "HKLM:\Software\Wow6432Node\C3 Inventory"
} else {{
$SoftwareROOT = "HKLM:\Software\C3 Inventory"
}

$Store = @{{
"Temporary Administrative Rights Root" = "$SoftwareROOT\Temporary Administrative Rights";

"Authorized Requestors Root" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors";
"Current Authorized Requestors" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors\Current";
"Expired Authorized Requestors" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors\Expired";

"Administrators Root" = "$SoftwareROOT\Temporary Administrative Rights\Administrators";
"Current Administrators" = "$SoftwareROOT\Temporary Administrative Rights\Administrators\Current";
"Expired Administrators" = "$SoftwareROOT\Temporary Administrative Rights\Administrators\Expired";
}

#Build Registry Store
foreach ($Item in $Store.GetEnumerator()) {{ new-registrystructure -Path $Item.Value | out-null }

function get-UserFromSID {{
param (
$SID
)
$objSID = New-Object System.Security.Principal.SecurityIdentifier($SID)
$objName = $objSID.Translate( [System.Security.Principal.NTAccount])

return $objName.Value
}

foreach ($SID in $SIDS.split(";")){{

$UserWithDomain = get-UserFromSID $SID

if ($Grant -and $Requestor) {{
write-log "Granting Authorized Requestor to $UserWithDomain with SID: $SID" -Type Grant

$NewAuthorizedRequestor = new-registrystructure -Path "$($Store.'Current Authorized Requestors')\$SID"

New-ItemProperty $NewAuthorizedRequestor -Name "Username" -Value $UserWithDomain -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAuthorizedRequestor -Name "Start" -Value $Start -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAuthorizedRequestor -Name "Expiration" -Value $Expiration -ErrorAction SilentlyContinue | out-null
}

if ($Revoke -and $Requestor) {{
write-log "Revoking Authorized Requestor from $UserWithDomain with SID: $SID" -Type Revoke

# Create \Expired Authorized Requestors\SID\TimeStamp
$CurrentAuthorizedRequestor = "$($Store.'Current Authorized Requestors')\$SID"
$ExpiredAuthorizedRequestor = new-registrystructure -Path "$($Store.'Expired Authorized Requestors')\$SID"

#Copy All Attributes from \Current Authorized Requestors\SID to \Expired Authorized Requestors\SID\Timestamp
Move-Item -Path $CurrentAuthorizedRequestor -Destination "$ExpiredAuthorizedRequestor\$Timestamp" -ErrorAction SilentlyContinue | out-null

#Add a Revocation time in \Expired Authorized Requestors\SID\Timestamp
New-ItemProperty "$ExpiredAuthorizedRequestor\$Timestamp" -Name "Revoked" -value "$TimeStamp" -ErrorAction SilentlyContinue | out-null
}

if ($Admin -and $Grant) {{
write-log "Granting Administrative Rights to $UserWithDomain with SID: $SID" -Type Grant

#Add User to Current Temp Admins
$NewAdministrator = new-registrystructure -Path "$($Store.'Current Administrators')\$SID"

#Log User's Temporary Administrator Access
New-ItemProperty $NewAdministrator -Name "Username" -Value $UserWithDomain -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAdministrator -Name "Start" -Value $Start -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAdministrator -Name "Expiration" -Value $Expiration -ErrorAction SilentlyContinue | out-null

#Grant User Administrative Access
& net localgroup "administrators" "$UserWithDomain" /add
}

if ($Admin -and $Revoke) {{
write-log "Revoking Administrative Rights from $UserWithDomain with SID: $SID" -type Revoke

#Revoke User's Administrative Access
& net localgroup "administrators" "$UserWithDomain" /delete

$CurrentAdministrator = "$($Store.'Current Administrators')\$SID"
$ExpiredAdministrator = new-registrystructure -Path "$($Store.'Expired Administrators')\$SID"

#Copy from Current and add timestamp+revoke time
Move-Item -Path $CurrentAdministrator -Destination "$ExpiredAdministrator\$Timestamp" -ErrorAction SilentlyContinue | out-null

New-ItemProperty "$ExpiredAdministrator\$Timestamp" -Name "Revoked" -value "$TimeStamp" -ErrorAction SilentlyContinue
}

}
_end_

move __createfile rightshandler.ps1

waithidden "{parameter "PowershellExe"}" -ExecutionPolicy Bypass -File "rightshandler.ps1" -SIDS "{parameter "SIDS"}" -TimeStamp "{parameter "TimeStamp"}" -Start "{parameter "Start"}" -Expiration "{parameter "Expiration"}" {parameter "Switches"}
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 4

Action Link Click here to grant the current user administrative rights for 5 days.
Script Type BigFix Action Script
parameter "SIDS"="{component strings of sid of logged on user}"
parameter "TimeStamp"="{now}"
parameter "Start"="{now}"
parameter "Expiration"="{now + 5*day}"
parameter "Switches"="-Grant -Admin"

parameter "PowerShellExe"="{ pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) }"

delete __createfile
delete rightshandler.ps1

createfile until _end_
param (
$SIDS,
$TimeStamp,
$Start,
$Expiration,
[switch]$Grant,
[switch]$Revoke,
[switch]$Admin,
[switch]$Requestor
)

function write-log {{
param (
$Message,
[ValidateSet("Verbose","Grant","Revoke")]
$Type = "Verbose"
)

if ($Type -like "Verbose") {{ $ID = 1337; $EntryType = "Information" }
if ($Type -like "Grant") {{ $ID = 1338; $EntryType = "Information" }
if ($Type -like "Revoke") {{ $ID = 1339; $EntryType = "Information" }

New-EventLog -LogName "C3 Temporary Administrative Rights" -Source "Rights Handler" -ErrorAction SilentlyContinue
# Limit-EventLog -LogName "C3 Temporary Administrative Rights" -Retention 28 -ErrorAction SilentlyContinue

write-verbose $Message
write-eventlog -logname "C3 Temporary Administrative Rights" -source "Rights Handler" -eventID $ID -EntryType $EntryType -message "$Message"
}


function new-registrystructure {{
param (
$Path
)
if (!(test-path $Path)) {{ new-item $Path -force -ErrorAction SilentlyContinue | out-null}

return "$Path"
}

if ($env:PROCESSOR_ARCHITECTURE -eq "amd64") {{
$SoftwareROOT = "HKLM:\Software\Wow6432Node\C3 Inventory"
} else {{
$SoftwareROOT = "HKLM:\Software\C3 Inventory"
}

$Store = @{{
"Temporary Administrative Rights Root" = "$SoftwareROOT\Temporary Administrative Rights";

"Authorized Requestors Root" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors";
"Current Authorized Requestors" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors\Current";
"Expired Authorized Requestors" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors\Expired";

"Administrators Root" = "$SoftwareROOT\Temporary Administrative Rights\Administrators";
"Current Administrators" = "$SoftwareROOT\Temporary Administrative Rights\Administrators\Current";
"Expired Administrators" = "$SoftwareROOT\Temporary Administrative Rights\Administrators\Expired";
}

#Build Registry Store
foreach ($Item in $Store.GetEnumerator()) {{ new-registrystructure -Path $Item.Value | out-null }

function get-UserFromSID {{
param (
$SID
)
$objSID = New-Object System.Security.Principal.SecurityIdentifier($SID)
$objName = $objSID.Translate( [System.Security.Principal.NTAccount])

return $objName.Value
}

foreach ($SID in $SIDS.split(";")){{

$UserWithDomain = get-UserFromSID $SID

if ($Grant -and $Requestor) {{
write-log "Granting Authorized Requestor to $UserWithDomain with SID: $SID" -Type Grant

$NewAuthorizedRequestor = new-registrystructure -Path "$($Store.'Current Authorized Requestors')\$SID"

New-ItemProperty $NewAuthorizedRequestor -Name "Username" -Value $UserWithDomain -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAuthorizedRequestor -Name "Start" -Value $Start -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAuthorizedRequestor -Name "Expiration" -Value $Expiration -ErrorAction SilentlyContinue | out-null
}

if ($Revoke -and $Requestor) {{
write-log "Revoking Authorized Requestor from $UserWithDomain with SID: $SID" -Type Revoke

# Create \Expired Authorized Requestors\SID\TimeStamp
$CurrentAuthorizedRequestor = "$($Store.'Current Authorized Requestors')\$SID"
$ExpiredAuthorizedRequestor = new-registrystructure -Path "$($Store.'Expired Authorized Requestors')\$SID"

#Copy All Attributes from \Current Authorized Requestors\SID to \Expired Authorized Requestors\SID\Timestamp
Move-Item -Path $CurrentAuthorizedRequestor -Destination "$ExpiredAuthorizedRequestor\$Timestamp" -ErrorAction SilentlyContinue | out-null

#Add a Revocation time in \Expired Authorized Requestors\SID\Timestamp
New-ItemProperty "$ExpiredAuthorizedRequestor\$Timestamp" -Name "Revoked" -value "$TimeStamp" -ErrorAction SilentlyContinue | out-null
}

if ($Admin -and $Grant) {{
write-log "Granting Administrative Rights to $UserWithDomain with SID: $SID" -Type Grant

#Add User to Current Temp Admins
$NewAdministrator = new-registrystructure -Path "$($Store.'Current Administrators')\$SID"

#Log User's Temporary Administrator Access
New-ItemProperty $NewAdministrator -Name "Username" -Value $UserWithDomain -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAdministrator -Name "Start" -Value $Start -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAdministrator -Name "Expiration" -Value $Expiration -ErrorAction SilentlyContinue | out-null

#Grant User Administrative Access
& net localgroup "administrators" "$UserWithDomain" /add
}

if ($Admin -and $Revoke) {{
write-log "Revoking Administrative Rights from $UserWithDomain with SID: $SID" -type Revoke

#Revoke User's Administrative Access
& net localgroup "administrators" "$UserWithDomain" /delete

$CurrentAdministrator = "$($Store.'Current Administrators')\$SID"
$ExpiredAdministrator = new-registrystructure -Path "$($Store.'Expired Administrators')\$SID"

#Copy from Current and add timestamp+revoke time
Move-Item -Path $CurrentAdministrator -Destination "$ExpiredAdministrator\$Timestamp" -ErrorAction SilentlyContinue | out-null

New-ItemProperty "$ExpiredAdministrator\$Timestamp" -Name "Revoked" -value "$TimeStamp" -ErrorAction SilentlyContinue
}

}
_end_

move __createfile rightshandler.ps1

waithidden "{parameter "PowershellExe"}" -ExecutionPolicy Bypass -File "rightshandler.ps1" -SIDS "{parameter "SIDS"}" -TimeStamp "{parameter "TimeStamp"}" -Start "{parameter "Start"}" -Expiration "{parameter "Expiration"}" {parameter "Switches"}
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 5

Action Link Click here to grant the current user administrative rights for permanently.
Script Type BigFix Action Script
parameter "SIDS"="{component strings of sid of logged on user}"
parameter "TimeStamp"="{now}"
parameter "Start"="{now}"
parameter "Expiration"="{now + (10000000 * week)}"
parameter "Switches"="-Grant -Admin"

parameter "PowerShellExe"="{ pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) }"

delete __createfile
delete rightshandler.ps1

createfile until _end_
param (
$SIDS,
$TimeStamp,
$Start,
$Expiration,
[switch]$Grant,
[switch]$Revoke,
[switch]$Admin,
[switch]$Requestor
)

function write-log {{
param (
$Message,
[ValidateSet("Verbose","Grant","Revoke")]
$Type = "Verbose"
)

if ($Type -like "Verbose") {{ $ID = 1337; $EntryType = "Information" }
if ($Type -like "Grant") {{ $ID = 1338; $EntryType = "Information" }
if ($Type -like "Revoke") {{ $ID = 1339; $EntryType = "Information" }

New-EventLog -LogName "C3 Temporary Administrative Rights" -Source "Rights Handler" -ErrorAction SilentlyContinue
# Limit-EventLog -LogName "C3 Temporary Administrative Rights" -Retention 28 -ErrorAction SilentlyContinue

write-verbose $Message
write-eventlog -logname "C3 Temporary Administrative Rights" -source "Rights Handler" -eventID $ID -EntryType $EntryType -message "$Message"
}


function new-registrystructure {{
param (
$Path
)
if (!(test-path $Path)) {{ new-item $Path -force -ErrorAction SilentlyContinue | out-null}

return "$Path"
}

if ($env:PROCESSOR_ARCHITECTURE -eq "amd64") {{
$SoftwareROOT = "HKLM:\Software\Wow6432Node\C3 Inventory"
} else {{
$SoftwareROOT = "HKLM:\Software\C3 Inventory"
}

$Store = @{{
"Temporary Administrative Rights Root" = "$SoftwareROOT\Temporary Administrative Rights";

"Authorized Requestors Root" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors";
"Current Authorized Requestors" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors\Current";
"Expired Authorized Requestors" = "$SoftwareROOT\Temporary Administrative Rights\Authorized Requestors\Expired";

"Administrators Root" = "$SoftwareROOT\Temporary Administrative Rights\Administrators";
"Current Administrators" = "$SoftwareROOT\Temporary Administrative Rights\Administrators\Current";
"Expired Administrators" = "$SoftwareROOT\Temporary Administrative Rights\Administrators\Expired";
}

#Build Registry Store
foreach ($Item in $Store.GetEnumerator()) {{ new-registrystructure -Path $Item.Value | out-null }

function get-UserFromSID {{
param (
$SID
)
$objSID = New-Object System.Security.Principal.SecurityIdentifier($SID)
$objName = $objSID.Translate( [System.Security.Principal.NTAccount])

return $objName.Value
}

foreach ($SID in $SIDS.split(";")){{

$UserWithDomain = get-UserFromSID $SID

if ($Grant -and $Requestor) {{
write-log "Granting Authorized Requestor to $UserWithDomain with SID: $SID" -Type Grant

$NewAuthorizedRequestor = new-registrystructure -Path "$($Store.'Current Authorized Requestors')\$SID"

New-ItemProperty $NewAuthorizedRequestor -Name "Username" -Value $UserWithDomain -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAuthorizedRequestor -Name "Start" -Value $Start -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAuthorizedRequestor -Name "Expiration" -Value $Expiration -ErrorAction SilentlyContinue | out-null
}

if ($Revoke -and $Requestor) {{
write-log "Revoking Authorized Requestor from $UserWithDomain with SID: $SID" -Type Revoke

# Create \Expired Authorized Requestors\SID\TimeStamp
$CurrentAuthorizedRequestor = "$($Store.'Current Authorized Requestors')\$SID"
$ExpiredAuthorizedRequestor = new-registrystructure -Path "$($Store.'Expired Authorized Requestors')\$SID"

#Copy All Attributes from \Current Authorized Requestors\SID to \Expired Authorized Requestors\SID\Timestamp
Move-Item -Path $CurrentAuthorizedRequestor -Destination "$ExpiredAuthorizedRequestor\$Timestamp" -ErrorAction SilentlyContinue | out-null

#Add a Revocation time in \Expired Authorized Requestors\SID\Timestamp
New-ItemProperty "$ExpiredAuthorizedRequestor\$Timestamp" -Name "Revoked" -value "$TimeStamp" -ErrorAction SilentlyContinue | out-null
}

if ($Admin -and $Grant) {{
write-log "Granting Administrative Rights to $UserWithDomain with SID: $SID" -Type Grant

#Add User to Current Temp Admins
$NewAdministrator = new-registrystructure -Path "$($Store.'Current Administrators')\$SID"

#Log User's Temporary Administrator Access
New-ItemProperty $NewAdministrator -Name "Username" -Value $UserWithDomain -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAdministrator -Name "Start" -Value $Start -ErrorAction SilentlyContinue | out-null
New-ItemProperty $NewAdministrator -Name "Expiration" -Value $Expiration -ErrorAction SilentlyContinue | out-null

#Grant User Administrative Access
& net localgroup "administrators" "$UserWithDomain" /add
}

if ($Admin -and $Revoke) {{
write-log "Revoking Administrative Rights from $UserWithDomain with SID: $SID" -type Revoke

#Revoke User's Administrative Access
& net localgroup "administrators" "$UserWithDomain" /delete

$CurrentAdministrator = "$($Store.'Current Administrators')\$SID"
$ExpiredAdministrator = new-registrystructure -Path "$($Store.'Expired Administrators')\$SID"

#Copy from Current and add timestamp+revoke time
Move-Item -Path $CurrentAdministrator -Destination "$ExpiredAdministrator\$Timestamp" -ErrorAction SilentlyContinue | out-null

New-ItemProperty "$ExpiredAdministrator\$Timestamp" -Name "Revoked" -value "$TimeStamp" -ErrorAction SilentlyContinue
}

}
_end_

move __createfile rightshandler.ps1

waithidden "{parameter "PowershellExe"}" -ExecutionPolicy Bypass -File "rightshandler.ps1" -SIDS "{parameter "SIDS"}" -TimeStamp "{parameter "TimeStamp"}" -Start "{parameter "Start"}" -Expiration "{parameter "Expiration"}" {parameter "Switches"}
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments