Creating a new local admin with limited rights

Hello everyone, I am currently creating a new local admin using PowerShell. This admin should be able to do everything except for creating another admin account. The account will be deleted after 24 hours. The account can be created without issues, the schedule also works but the permission part is not fully functional yet. I have tried creating a new group and limiting its permissions and then linking it to the normal Administrators group. This did not work. Now I am trying to edit the Administrators group itself so that all accounts within the group cannot create any more accounts. These settings should also be reset after 24 hours. My current code (the script block must be used because our software distribution is only 32-bit capable): $ScriptBlock = {

New-LocalUser -Name “admintemp” -Password (ConvertTo-SecureString “89hfihi244” -AsPlainText -Force) -FullName “24h Admin” -Description “Account exists 24h”

Add-LocalGroupMember -Group “Administrators” -Member “admintemp”

$Rule = New-Object System.Security.AccessControl.RegistryAccessRule(“Administrators”,“FullControl”,“Deny”) $Key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(“SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree) $ACL = $Key.GetAccessControl() $ACL.SetAccessRule($Rule) $Key.SetAccessControl($ACL)

$Trigger = New-ScheduledTaskTrigger -At (Get-Date).AddHours(24) -Once $Action = New-ScheduledTaskAction -Execute “PowerShell.exe” -Argument "-Command "& {Remove-LocalGroupMember -Group “Administrators" -Member “admintemp"; }””

Register-ScheduledTask -TaskName “Remove Temporary Admin” -Trigger $Trigger -Action $Action

} & “$env:windir\sysnative\WindowsPowerShell\v1.0\powershell.exe” -command $ScriptBlock

Best regards and thank you, Marc

Marc,
Welcome to the forum. :wave:t4:

First of all …
When you post code, sample data, console output or error messages please format it as code using the preformatted text button ( </> ). Simply place your cursor on an empty line, click the button and paste your code.

Thanks in advance

How to format code in PowerShell.org <---- Click :point_up_2:t4: :wink:



I think your question is actually not a PowerShell topic. It would fit much better to forums like

or

Regardless of all that - what problem would you like to solve with this approach? It sounds pretty much like a tinkered solution through the back door where you should actually do it with a proper/professional solution.

It seems like you’re about to give administrative access to someone you do not fully trust. That sounds like a really bad idea.
Next … you want to limit the access to 24 hours by using a scheduled task removing the access on the machine where the access was granted?! … whoever will get this access needs 1 minute to delete this scheduled task to gain actually administrative access for good. :wink:

A question: is it still possible to grant adminsitrative access for already existing accounts? :wink:

I’d urgently recommend to reconsider your approach and maybe ask a specialist for security or identity and access management.