Page 1 of 2
Adding the current user to the admin group
Published: May 26, 2023 - 09:27
by jdziadek
Hello, I'm creating a package for our fleet of loaner PCs, to give admin rights to the current user.
Code: Select all
def install():
user = get_current_user()
if ( user):
add_user_to_group("centralelille\\" + user, "administrateurs")
def session_setup():
user = get_current_user()
add_user_to_group("centralelille\\" + user, "administrateurs")
When I run session-setup, I get an access denied error. Is session setup not being run with the system account?
Julian
Re: Adding the current user to the admin group
Published: May 26, 2023 - 12:41
by sfonteneau
During a setup session, it's not surprising that a user cannot add themselves to the administrator account
During installation you are looking to use
But in your case, I suppose that means adding the "everyone" group to the administrators group...
Re: Adding the current user to the admin group
Published: May 26, 2023 - 6:32 PM
by jdziadek
Hello, yes, indeed, I hadn't realized that session setup didn't use the system account; it wasn't explicitly stated in the documentation.
Is there any way to run a command as the system account using session setup? (For any purpose whatsoever)
Julien
Re: Adding the current user to the admin group
Published: May 26, 2023 - 8:44 PM
by vcardon
Hello jdziadek,
could you please explain your use case, as it seems you want to implement a kind of PAM (Privileged Access Management) system using WAPT?
Are your loaner PCs assigned to specific users?
What actions should your users be able to perform with an admin account on their loaner PCs?
Thank you.
Re: Adding the current user to the admin group
Published: May 30, 2023 - 08:34
by jdziadek
Hello,
To put it simply, we have a fleet of 20 to 30 loaner PCs, loaned for a maximum of two months, either to students or staff. We would just like users to be able to install the software they want. We are at the very beginning of our WAPT infrastructure, and therefore the package list is not yet extensive enough for all users.
Once the PC is retrieved by the loan management service, we reinstall the machine via WADS.
Adding "everyone" to the admin group certainly works, but we would prefer something less drastic.
- Julien
Re: Adding the current user to the admin group
Published: May 30, 2023 - 12:53
by sfonteneau
jdziadek wrote: ↑May 26, 2023 - 6:32 PM
Is there any way to place a command as a system account using a session setup? (For any purpose whatsoever)
This is particularly dangerous; it would mean that an unauthorized user could ask Wapt to execute code for them.
One useful tip, however, is that a user can request an audit during the setup session:
Code: Select all
def install():
pass
def session_setup():
wgets('http://127.0.0.1:8088/audit?force=1&package=tis-test')
def audit():
for user in get_loggedinusers():
add_user_to_group("centralelille\\" + user, "administrateurs")
But as I said, it amounts to the same thing as putting everyone in the administrators group... it doesn't change the end result.
Re: Adding the current user to the admin group
Published: May 30, 2023 - 11:02 PM
by vcardon
What software do you need to enable your users to have restricted access and allow them to install their software in self-service mode?
Can we collaborate to achieve this goal?
Re: Adding the current user to the admin group
Published: May 31, 2023 - 10:12
by jdziadek
vcardon wrote: ↑May 30, 2023 - 11:02 PM
What software do you need to put your users into restricted access and offer them self-service software installation?
Can we collaborate to achieve this goal?
The problem is that we don't know at all; we have many teacher-researchers who test software to see if it can meet a need, so they may need the software to test it and possibly never come back to it.
Re: Adding the current user to the admin group
Published: June 24, 2023 - 08:44
by gaelds
Hello,
we have a similar problem at our vocational high school. Companies ask interns to bring a PC, either to use our Autodesk/Solidworks Education licenses, etc., or to install their own business software. Sometimes these PCs even end up joined to the domain of the company hosting the intern. Therefore, they need administrator privileges.
The quickest solution I've found is to create a master image of these machines with our software installed via WAPT, but I keep it outside the domain. I only create a single "student" user who is a Windows administrator. When the PC is returned, I recreate its image.
Re: Adding the current user to the admin group
Published: June 26, 2023 - 11:02 AM
by dcardon
Hello Julien,
jdziadek wrote: ↑May 31, 2023 - 10:12
vcardon wrote: ↑May 30, 2023 - 11:02 PM
What software do you need to put your users into restricted access and offer them self-service software installation?
Can we collaborate to achieve this goal?
The problem is that we don't know at all; we have many teacher-researchers who test software to see if it can meet a need, so they may need the software to test it and possibly never come back to it.
It may not be possible to remove local admin rights from all teaching staff, but we've seen other schools that have successfully removed them for the vast majority of users with a well-populated self-service system. In fact, by explaining the risks associated with this account (particularly the increased risk of ransomware attacks) and the limited benefits if the self-service system is full, it's possible to get a lot of people to accept the change.
Beyond simply switching to local admin privileges, from a security standpoint it's best to avoid having the main user account as a local admin. Instead, create a separate local account on the same machine that can be used occasionally for installations, but not for daily use. If this account is local and doesn't have access to network resources, etc., it prevents users from using it daily, thus encouraging them to prioritize their restricted-privileged accounts.
Sincerely,
Denis