With Action1, you have the ability to run scripts on endpoints in an elevated context. Using this access, you can go through the steps of adding a user from the terminal, adding them to the administrators group, setting passwords, disabling the account when not needed, etc. Or you could simply load a handy endpoint script I created to automate this process for you.
Introducing the LocalAdminSolution.ps1 Endpoint Script
The LocalAdminSolution.ps1 endpoint script automates this process and includes some general maintenance tasks. By default, it will create a configurable local administrator account named “A1Admin”. This account will be assigned a randomly generated 14-character password, broken into hyphenated groups of 4 for easy remembering. If the account is already present, the script will enable it and set a new password. The new password is then returned in the endpoint results in the Action1 console.
 scale(0.100000, -0.100000)' fill='%23000000' stroke='none'%3E%3Cpath d='M970 2301 c-305 -68 -555 -237 -727 -493 -301 -451 -241 -1056 143 -1442 115 -116 290 -228 422 -271 49 -16 55 -16 77 -1 24 16 25 20 25 135 l0 118 -88 -5 c-103 -5 -183 13 -231 54 -17 14 -50 62 -73 106 -38 74 -66 108 -144 177 -26 23 -27 24 -9 37 43 32 130 1 185 -65 96 -117 133 -148 188 -160 49 -10 94 -6 162 14 9 3 21 24 27 48 6 23 22 58 35 77 l24 35 -81 16 c-170 35 -275 96 -344 200 -64 96 -85 179 -86 334 0 146 16 206 79 288 28 36 31 47 23 68 -15 36 -11 188 5 234 13 34 20 40 47 43 45 5 129 -24 214 -72 l73 -42 64 15 c91 21 364 20 446 0 l62 -16 58 35 c77 46 175 82 224 82 39 0 39 -1 55 -52 17 -59 20 -166 5 -217 -8 -30 -6 -39 16 -68 109 -144 121 -383 29 -579 -62 -129 -193 -219 -369 -252 l-84 -16 31 -55 32 -56 3 -223 4 -223 25 -16 c23 -15 28 -15 76 2 80 27 217 101 292 158 446 334 590 933 343 1431 -145 293 -419 518 -733 602 -137 36 -395 44 -525 15z'/%3E%3C/g%3E%3C/svg%3E)
For security, the account auto-maintains itself. It will remain enabled for only 5 minutes, until it is used to log into the system, or the system is rebooted—whichever comes first. When any of these events occur, the account is disabled, the password is re-randomized, and not logged or transmitted back to Action1. This means any password previously logged in the script history is invalid no more than 5 minutes after it is set.
There is also a companion data source that allows you to create a report to detect all systems where this solution has been employed. Together, they form a functional system for situations like these, or if you need to give a user temporary local admin access for any reason. If you use this solution, be aware of the risks associated with it and all local admin solutions.
Action1 makes using this script as simple as any other script in Action1, and that is to say, seamless. However, the script is not exclusive to Action1 and can be used in any endpoint management system capable of running PowerShell scripts in an appropriately elevated context.
Using this script in Action1
Log in to the Action1 Platform or sign up for an account, the first 100 endpoints are free with no feature limitations.
No credit card. 100 endpoints free. No feature limits.
Then follow the instructions below for adding new data sources and reports to the system.
1. Click to create a new data source or follow these steps:
-
- Go to Configuration | Data Sources, click [+New]
- Enter data source name, such as ‘Local Admin Solution’, [Next]
- Copy and paste the script above, [Next]
- Run on a test endpoint*, [Finish]
*This step WILL run the script on the endpoint, so ensure whatever system is being tested on has a proper backup recovery procedure.
2. Click to create a new automation or follow these steps:
-
- Go to Automaton | Automations, click New Automation | Run Script
- Select your new data source (e.g. ‘Local Admin Solution’)
- Choose your new script (e.g. ‘Local Admin Solution’), [Next]
- Select endpoints to run on, [Next]
- Choose to run now or later, [Finish]
For more insights and updates, keep an eye on our blog and join our upcoming webinars.
