Adding a remote user to a local admin group

JavierIOM 2023-11-16 12:04:34 UTC #1

Hello,

I have a small powershell script that we run in Bigfix to add a user as a admin to their own machine:

add-localgroupmember -group 'Power Users' -member azuread\user.name@domain.com

What I want to do is run this as the local user account and add the user with a vaiable like this:

runas=currentuser

# Grab the upn of the user
wait powershell $upn = whoami /upn

# Add the local user to the admin group of the machine

wait powershell add-localgroupmember -group 'Power Users' -member azuread\$upn

Unfortunately it doesnt work, probably as my syntax isnt right, can anyone help please?

Javier.

trn 2023-11-16 12:14:24 UTC #2

The fundamntal issue is that the $upn variable is created and defined in your first call to powershell - but does not exist outside that scope, so doesn’t exist in the second call to powershell

JavierIOM 2023-11-16 13:05:55 UTC #3

OK, Understood, how can I get around that then?

dgendera 2023-11-16 13:23:49 UTC #4

There is probably better way but what we do a lot in our environment is write the output to textfile and then read content of the file

whoami /upn > C:\hp\userinfo.txt
read userinfo.txt and add to that to the group

option 2: create small powershell script vs. individual commands and then the variable is within scope of the script and that should work also

JasonWalker 2023-11-16 14:06:25 UTC #5

You’ll also have the difficulty that a user cannot add itself to the local Administrators group - since the user is not already an Administrator, they cannot change the Administrators group.

I’m looking for a better way to retrieve UPN, but if you use ‘whoami’ then that process needs to run as the user (to retrieve the correct name), but the second command that actually adds the user will need to run as LocalSystem.

JavierIOM 2023-11-17 10:25:07 UTC #6

Hello,

Were you fortunate enough to find a solution to this please?

Javier.

JasonWalker 2023-11-17 12:39:53 UTC #7

No, surprisingly I didn’t find an inspector to return a UPN directly so probably still need to run ‘whoami’ for that part, but after running whoami the tests would work (executing as LocalSystem, not as the user)

JavierIOM 2023-11-17 12:52:25 UTC #8

Hi Jason,

Thanks for looking into it for me, would you be able to step-by-step what I need to do with the above please?

Im very new to this product so I do apologise to ask.

Javier.

SLB 2023-11-19 14:55:51 UTC #9

Would an approach like this work, which is really what @dgendera was suggesting? (assumption being a TEMP folder has been created). The run command is overridden to run as current user so would return the logged in user upn but the waithidden command would run as SYSTEM so have the rights to add the user?

override run
Hidden=true
RunAs=currentuser
run cmd.exe /c whoami /upn > C:\TEMP\upn.txt

parameter "upn" = "{line 1 of file "C:\TEMP\upn.txt"}"

waithidden cmd.exe /c net localgroup "Power Users" /add {parameter "upn"}