IT support without cached credentials?

Question

Situation: Your CEO is working remotely via VPN and needs to install a program on his laptop. He does not have local admin rights. An admin is available to help, but attempts to enter admin credentials to permit installation of the program and it fails, presumably because the admin's credentials are not cached on the laptop (the admin has never logged into this computer). Having the admin login and install it won't work because her credentials are not cached. Remember we are connected via the VPN.

Authentication: Active Directory

Server: Windows 2008 R2

Laptop: Windows 7

Question: How do I avoid this without caching all admin credentials on the computer, which would be ill advised? (I.e. I don't know which admin will be providing support.)

Possible solution: Temporarily add the CEO to the admin security group. Have him install the program. Then remove him from the admin security group. Will that work? Is that the safest way to pull it off? (Edit: this didn't work.)

I asked a similar, but different question here: how to cache credentials on Windows

Answer 1

Users connected via VPN should have connectivity to a Domain Controller (possibly read-only) to confirm account authentication. This sounds like the center of your particular problem. If the Windows computer cannot see Active Directory, it will not be able to confirm any domain-based changes, including your administrators attempting to make the user an administrator. Work with your VPN provider to ensure the appropriate firewall rules are set up for domain-based authentication.

With the user connected to the VPN, the system administrator should have a remote access tool to be able to share the screen and view any UAC control windows that pop up. Dameware and the built-in Remote Assistance tool work well. WebEx does not as it 'blacks out' the remote session when the UAC prompt pops up.

Using the remote access tool, the system administrator can right-click an installer file and select "run as administrator" or "run as another user" and use the administrator credentials to run the installer. As the user is connected to the VPN, the computer will be able to authenticate to the Active Directory Domain Controller and grant the admin access to run the installer. This also "caches" the credentials for future use as if the administrator ahead logged in locally, and the user does not see or know the administrator password at any point.

If it is an MSI file, or requires the command line, right-click the Command Prompt icon in the start menu the same way as above, and after authenticating use MSIEXEC to install the MSI.

LAPS, as mentioned by Slipeer, will be something to set up at a later date, as it does not solve the immediate problem. It solves the problem where a user has no network or VPN connectivity by allowing your Active Directory to manage individual local admin accounts, but if the remote user cannot connect to the domain over VPN right now, it can't be pushed t the system.

If you cannot use a remote access tool to get past the UAC, you can use compmgmt.msc on a local machine, connect to the user's machine, create a temporary local admin account and use it as above, then disable it before the user disconnects from the VPN. Again, this can only be done if you have connectivity to an Active Directory Domain Controller.

Answer 2

Posibly solution: use LAPS. And admin can alway know local administrator password. And local administrator password is always secure and different.