Adding a remote user to a local admin group

JavierIOM · November 16, 2023, 12:04pm

Hello,

I have a small powershell script that we run in Bigfix to add a user as a admin to their own machine:

add-localgroupmember -group 'Power Users' -member azuread\user.name@domain.com

What I want to do is run this as the local user account and add the user with a vaiable like this:

runas=currentuser

# Grab the upn of the user
wait powershell $upn = whoami /upn

# Add the local user to the admin group of the machine

wait powershell add-localgroupmember -group 'Power Users' -member azuread\$upn

Unfortunately it doesnt work, probably as my syntax isnt right, can anyone help please?

Javier.

trn · November 16, 2023, 12:14pm

The fundamntal issue is that the $upn variable is created and defined in your first call to powershell - but does not exist outside that scope, so doesn’t exist in the second call to powershell

JavierIOM · November 16, 2023, 1:05pm

OK, Understood, how can I get around that then?

dgendera · November 16, 2023, 1:23pm

There is probably better way but what we do a lot in our environment is write the output to textfile and then read content of the file

whoami /upn > C:\hp\userinfo.txt
read userinfo.txt and add to that to the group

option 2: create small powershell script vs. individual commands and then the variable is within scope of the script and that should work also

JasonWalker · November 16, 2023, 2:06pm

You’ll also have the difficulty that a user cannot add itself to the local Administrators group - since the user is not already an Administrator, they cannot change the Administrators group.

I’m looking for a better way to retrieve UPN, but if you use ‘whoami’ then that process needs to run as the user (to retrieve the correct name), but the second command that actually adds the user will need to run as LocalSystem.

JavierIOM · November 17, 2023, 10:25am

Hello,

Were you fortunate enough to find a solution to this please?

Javier.

JasonWalker · November 17, 2023, 12:39pm

No, surprisingly I didn’t find an inspector to return a UPN directly so probably still need to run ‘whoami’ for that part, but after running whoami the tests would work (executing as LocalSystem, not as the user)

JavierIOM · November 17, 2023, 12:52pm

Hi Jason,

Thanks for looking into it for me, would you be able to step-by-step what I need to do with the above please?

Im very new to this product so I do apologise to ask.

Javier.

SLB · November 19, 2023, 2:55pm

Would an approach like this work, which is really what @dgendera was suggesting? (assumption being a TEMP folder has been created). The run command is overridden to run as current user so would return the logged in user upn but the waithidden command would run as SYSTEM so have the rights to add the user?

override run
Hidden=true
RunAs=currentuser
run cmd.exe /c whoami /upn > C:\TEMP\upn.txt

parameter "upn" = "{line 1 of file "C:\TEMP\upn.txt"}"

waithidden cmd.exe /c net localgroup "Power Users" /add {parameter "upn"}