Adding the current user to the admin group

jdziadek · May 26, 2023 - 09:27

Hello, I'm creating a package for our fleet of loaner PCs, to give admin rights to the current user.

def install():
    user = get_current_user()
    if ( user):
        add_user_to_group("centralelille\\" + user, "administrateurs")
def session_setup():
    user = get_current_user()
    add_user_to_group("centralelille\\" + user, "administrateurs")

When I run session-setup, I get an access denied error. Is session setup not being run with the system account?
Julian

May 26, 2023 - 12:41

During a setup session, it's not surprising that a user cannot add themselves to the administrator account

During installation you are looking to use

Code: Select all

get_loggedinusers()

But in your case, I suppose that means adding the "everyone" group to the administrators group...

jdziadek · May 26, 2023 - 6:32 PM

Hello, yes, indeed, I hadn't realized that session setup didn't use the system account; it wasn't explicitly stated in the documentation.
Is there any way to run a command as the system account using session setup? (For any purpose whatsoever)
Julien

May 26, 2023 - 8:44 PM

Hello jdziadek,

could you please explain your use case, as it seems you want to implement a kind of PAM (Privileged Access Management) system using WAPT?

Are your loaner PCs assigned to specific users?

What actions should your users be able to perform with an admin account on their loaner PCs?

Thank you.

jdziadek · May 30, 2023 - 08:34

Hello,
To put it simply, we have a fleet of 20 to 30 loaner PCs, loaned for a maximum of two months, either to students or staff. We would just like users to be able to install the software they want. We are at the very beginning of our WAPT infrastructure, and therefore the package list is not yet extensive enough for all users.
Once the PC is retrieved by the loan management service, we reinstall the machine via WADS.
Adding "everyone" to the admin group certainly works, but we would prefer something less drastic.
- Julien

May 30, 2023 - 12:53

jdziadek wrote: ↑May 26, 2023 - 6:32 PM Is there any way to place a command as a system account using a session setup? (For any purpose whatsoever)

This is particularly dangerous; it would mean that an unauthorized user could ask Wapt to execute code for them.

One useful tip, however, is that a user can request an audit during the setup session:

Code: Select all


def install():
    pass

def session_setup():
    wgets('http://127.0.0.1:8088/audit?force=1&package=tis-test')

def audit():
    for user in get_loggedinusers():
        add_user_to_group("centralelille\\" + user, "administrateurs")

But as I said, it amounts to the same thing as putting everyone in the administrators group... it doesn't change the end result.

May 30, 2023 - 11:02 PM

What software do you need to enable your users to have restricted access and allow them to install their software in self-service mode?

Can we collaborate to achieve this goal?

jdziadek · May 31, 2023 - 10:12

vcardon wrote: ↑May 30, 2023 - 11:02 PM What software do you need to put your users into restricted access and offer them self-service software installation?

Can we collaborate to achieve this goal?

The problem is that we don't know at all; we have many teacher-researchers who test software to see if it can meet a need, so they may need the software to test it and possibly never come back to it.

Gaelds · June 24, 2023 - 08:44

Hello,
we have a similar problem at our vocational high school. Companies ask interns to bring a PC, either to use our Autodesk/Solidworks Education licenses, etc., or to install their own business software. Sometimes these PCs even end up joined to the domain of the company hosting the intern. Therefore, they need administrator privileges.
The quickest solution I've found is to create a master image of these machines with our software installed via WAPT, but I keep it outside the domain. I only create a single "student" user who is a Windows administrator. When the PC is returned, I recreate its image.

June 26, 2023 - 11:02

Hello Julien,

jdziadek wrote: ↑May 31, 2023 - 10:12
vcardon wrote: ↑May 30, 2023 - 11:02 PM What software do you need to put your users into restricted access and offer them self-service software installation?

Can we collaborate to achieve this goal?
The problem is that we don't know at all; we have many teacher-researchers who test software to see if it can meet a need, so they may need the software to test it and possibly never come back to it.

It may not be possible to remove local admin rights from all teaching staff, but we've seen other schools that have successfully removed them for the vast majority of users with a well-populated self-service system. In fact, by explaining the risks associated with this account (particularly the increased risk of ransomware attacks) and the limited benefits if the self-service system is full, it's possible to get a lot of people to accept the change.

Beyond simply switching to local admin privileges, from a security standpoint it's best to avoid having the main user account as a local admin. Instead, create a separate local account on the same machine that can be used occasionally for installations, but not for daily use. If this account is local and doesn't have access to network resources, etc., it prevents users from using it daily, thus encouraging them to prioritize their restricted-privileged accounts.

Sincerely,

Denis