Make Me Admin is a simple, open-source application for Windows that allows standard user accounts to be elevated to administrator-level, on a temporary basis.
Home Page: https://makemeadmin.com/
License: GNU General Public License v3.0
We're getting the follow error message when attempting to elevate:
Error Message: The server has rejected the client credentials
We've been using MakeMeAdmin in the environment for a bit now without any issues so I suspect that modifications in the laptop image we're using have caused the problems because we're only seeing it with recent laptops.
Any ideas where to look or have you seen this problem before?
Is there a solution or workaround for more dynamic assignment of Users/Groups allowed or denied rights via the MakeMeAdmin GPO Templates or Registry Keys?
For example, support for things like:
%DomainName%\%LogonUser%
%DomainName%\Example-%ComputerName%-Group
This would allow for simpler use of Group Policy for more dynamically deploying this solution at large scale.
Obviously not all environment variables need supported, however key items like the following would be extremely helpful and practical:
%DomainName%
%ComputerName%
%LogonUser%
%LogonUserSid%
List of Environment Variables: https://evotec.xyz/environment-variables-in-group-policy-preferences/
Hello,
Would be great if the toast-notification which comes up after the user have invoked admin would also take the value specified in "Admin Rights Timeout" e.g:
"You are now a member of the Administrators group for Xmin"
and possibly be able to control a reminder with a regedit value so that every Xmin it reminds the user:
"You have Xmin left as a member of the Administrators group"
Possibly a duplicate of:
#35
Thanks!
When a user adds themselves to the Local Administrator group via Make Me Admin they do not actually have admin rights until they log off then back in again (and same issue when the timeout occurs and Make Me Admin revokes the right).
Has anyone come across this issue? Any solutions?
I wish you could clear the admin group from users not added by MakeMeAdmin. Potentially, a user could create a new local user and add that user to the admin group. It would be nice to have thoose cleared out.
If "C:\Program Data\Make Me Admin\Users.xml" exists, but has invalid data in it then the MakeMeAdmin service starts to fail. I've only seen this once after a computer blue-screened, so I'm not sure how important it really is to address or in-fact what the best behaviour really is, but I thought I should at least document the behaviour here so that it can be addressed.
In this case you can get an error logged such as the following:
Failed to process session change. System.Security.Cryptography.CryptographicException: The data is invalid.
at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
at SinclairCC.MakeMeAdmin.EncryptedSettings.Load(String filePath)
at SinclairCC.MakeMeAdmin.EncryptedSettings..ctor(String filePath)
at SinclairCC.MakeMeAdmin.MakeMeAdminService.OnSessionChange(SessionChangeDescription changeDescription)
at System.ServiceProcess.ServiceBase.DeferredSessionChange(Int32 eventType, Int32 sessionId)
This raises a couple of questions. Firstly, if the service is unable to deserialise and decrypt the contents of the file, what is the correct behaviour? Should it create a new empty settings file instead of failing? Should it be keeping a copy in memory and using that instead if it isn't the initial service startup?
Also, in this instance the calls from the UI into the service were failing. Should exceptions generated on the service side of these calls be logged? (similar to how the base service code logs the session change error). Currently, exceptions within these are not handled or logged in any way.
Finally, the folder "C:\ProgramData\Make Me Admin" doesn't get created at install time - it is only created when an action such as adding or removing a user gets triggered that results in saving the file. The permissions on ProgramData are such that a standard user can create a folder under C:\ProgramData without any special permissions, which means that a standard user is able to disrupt the service for someone else in the future if MakeMeAdmin has not yet been used on that computer.
Hello. I'm trying to adapt our MMA GPO based options to Azure AD only devices. In doing so, I create a local group, added members from our Azure AD (add-localgroupmember -name group-name-here "AzureAD\users-name". This works fine. I then set the group name in the proper registry key under HKLM\Software\Policies\etc. this works fine, and I can elevate. Unfortunately, if I specify require credentials, and I'm a WHfB users - regardless of whether I enter a password, pin, or face-biometric, it just keeps repeatedly asking.
For some reason I've noticed MakeMeAdmin is often/occasionally quite slow to initialize as it checks If you are allowed to Ask for Admin rights (e.g. "Checking Administrator Status...")
This is inconsistent, and is not always slow/delayed. But quite often the initialization can take from 5-15 seconds. Other times it is near instant.
Is there a particular reason this might be occurring (if you've ever noticed it)?
Is there a workaround for using Microsoft Multilingual App Toolkit? It is not as of now compatible with Visual Studio 2022. If not, maybe people could go upvote this issue on developer portal
https://developercommunity.visualstudio.com/t/multilingual-app-toolkit-not-available-on-vs2022/1590902
As part of integrating MMA into the corporate/organizational culture of places where it's deployed, have you considered allowing the text and icon in MMA to be customized in the Registry/GPO settings? I know it could be a bit of a sprawl if you support keys for the localizations as well.
Text Customization Keys:
UI-Text-Require Authentication WindowUI-Text-Title BarUI-Text-Grant Admin Rights ButtonUI-Text-Grant Admin Rights ButtonUI-Text-Notifcation TitleUI-Text-Notifcation TitleUI-Text-Notifcation Admin Rights EnabledUI-Text-Notifcation Admin Rights DisabledUI-Text-Reason Dialog TitleUI-Text-Reason DialogIcon Key (I'm not sure how you're handling the program icon(s). If it's a single multi resolution .ico file, then just one key):
UI-Icon-ApplicationUI-Icon-SysTrayUnless I'm missing something GitHub doesn't seem to allow pull requests on wiki repos.
On the Registry Settings](https://github.com/pseymour/MakeMeAdmin/wiki/Registry-Settings) page in the wiki, please consider adding the following: "Names of local users or groups should be in the format %COMPUTERNAME%\Name"
The final text for footnote 2 would be as follows:
2 : Names of users or groups should be in the format DOMAIN\Name. User principal names (e.g., [email protected]) will not work. Names of local users or groups should be in the format %COMPUTERNAME%\Name.
Hi. I am getting a CryptographicException thrown when it loads the EncryptedSettings from file. This throws a fault exception from the WCF service.
What do I need to do to recover from this? Clearly for whatever reason it won't decrypt the settings on my machine anymore
Thanks!
Hello,
I would like to deploy a GPO for MakeMeAdmin.
My question is this, what will be the behavior when computers no longer see the active directory (offline withou network). I tested, and in principle it works, but I think there is a cache for credentials ... for how long?
Thank you
Add an option to close elevated processes when a user's administrator rights expire.
The SMS_SystemConsoleUsage WMI class provides the name of the top console user (TopConsoleUser property). Create an option to read this value, and allow that user to obtain admin rights.
I'm trying to install this using the 64-bit installer but its failing. I'm getting the error "Service 'Make Me Admin' (MakeMeAdmin) failed to start. Verify that you have sufficient privileges to start system service. I am running the installer on a local administrator account.
Any ideas?
I installed the software and its wicked cool. Just can't get syslog to work. Trying to send things to my graylog server and no matter what I try, it wont show up. I've checked netstat -n and never see any established connections to my server. I've tried different ports, UDP, TCP etc. Both should work though for my server. What could I be doing wrong?
I'm not top notch when it comes to programing, but it looks as though both %COMPUTERNAME%\Name and .\Name should work for local Groups and Users. The comments in LocalAdministratorGroup.cs states:
Environment Variables will be expanded out. The following formats are accepted:
...
* .\\xxxx or %COMPUTERNAME%\\xxxx (local user or group - also accepts explicitly using the computer name)
...
However in my 2.3 install with.\GroupName in Allowed Entities ends with "You are not authorized to use this application". %COMPUTERNAME%\GroupName in Allowed Entities` works as expected.
Thanks.Peet
Great project. Thank you for your work.
I’m looking to implement this as the Windows equivalent toPrivileges.app. On of the features of Privileges.app is the ability to require the user to authenticate before they are granted admin rights. This hopefully keeps a third party from elevating rights without proving identity.
Would it be possible to add this functionality?
Is it possible to add some (http) webhook support to the code that would call an external website for configuration download, approvals, and log uploading?
Hello,
We are testing your application, and everything sounds good until we tested uninstall process.
So, we cannot recover the admin rights after uninstall.
User respected the uninstall process on Windows 10 by "add/remove application" from Windows 10 control panel.
Some precisions :
I thank you for your help,
Best regards and Happy New Year !
Hello!
First off, thank you for the great tool! I'm glad you chose to publish it!
I tried to set the Allowed Entities registry key to the SID of an O365 Azure AD security which contained a test user group, and it did not work. The app just says that the user isn't authorized to the use the app. I did notice that using the SID of the Azure AD test user did work.
Let me know if I can provide any further information. Thank you!
Jake
adml files in GPO templates are outdated compared to description and options in wiki. I have created a PR that updates the adml files so they match. Especially the option that it is now possible to use both SIDs and names in allowed and excluded groups
Hello. We use Make Me Admin at our school for elevating user rights. We are having an issue with a user, but only on her computer.
Here's the error:
An error occurred while adding you to the Administrators group.
Error Message: There was no endpoint listening at net.pipe://localcomputername/MakeMeAdmin/Service that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
Any tip for getting this fixed?
Thanks,
Matt
Hi, i just installed makeMeAdmin (with local admin, of course) but without any configuration each user can elevate to admin afterwards??
i didn't have done any GPOs nor do i see any precreated regkeys...
in my opinion, even if config would be forced from GPO it could be possible to wipe the registry policys and afterwards without any config every user can elevate?
Service is running but Launching MakeMeAdmin throws an error. The log later shows this message. Also any users manually added to local administrators (for a temporary workaround) get immediately removed by the service. Any ideas on how to troubleshoot it? Is there a way to turn on debug logging?
========
See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.
************** Exception Text **************
System.IO.PipeException: The pipe endpoint 'net.pipe://computer.domain.com/MakeMeAdmin/Service' could not be found on your local machine.
************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.
For example:
When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box
We are facing Issues regarding Syslog Functionality for Make Me Admin. We had it running on one of our Client as a Test and sent it to our Kiwi syslog server. We did this via the Registry Entry where we just added server_adress:514. This worked for us a Couple Months ago and now we tried to enable it for multiple Clients sending their Logs to a Kibana Syslog which is part of an Elastic Stack. This did now not work. So we also tried going back to the Kiwi Syslog Server. Here we had the same Settings as the last time it worked as we had a Backup of the Registry and Server Settings. This doesn`t work either anymore. I already read multiple times that Make Me admin is having Issues with Syslog functionality. Do you have any Tips or Infos regarding this?
I am trying to regulate the use of this nice application with the GPO's \ reg-keys you set up for this. If I enter a user account or SID for the Allowed Entities then it works fine.
However, when an AD group or AD group SID is entered here, the users are not authorized to use the application.
Can you help me with this?
Thanks in advance.
Willem
Implement an optional dialog box, where users can enter the reason they need administrator rights.
Features should include a drop-down list of "canned" responses, provided by the administrator. Also, allow a free-form text box, where users can enter their own reason. Administrators should be able to control which of these features is/are available to the user.
I am getting an error when I try to add myself to the group Administrators. The program is installed with a local admin and this was working fine until the last 3 days.
I had some issues with the com port and had to forcefully restart my PC a couple of times while the "MakeMeAdmin" has granted the temporary admin access. This is the only change I remember and I didn't install or uninstall any other programs recently. I have also tried disabling and enabling .net framework 3.5 and 4.8 from windows features but no luck. Also tried uninstalling and reinstalling the program still the same issue.
I have also checked for port 808, it's free and no other application is using it.
Screenshot of the issue when I click on "Grant Me Administrator Rights"
Enabled options in .net framework
Would be happy to get any additional debug log if required.
Create an option to log off the given user when their admin rights expire.
I saw the latest release is nearly 3 years old, and the installer in the Repo has debug in the name what would you recommend to use for production?
Hello,
Just want to start by saying I love this tool and have been using it for a couple of years now. I have just recently ran into a pc error where the app service will not start (screenshot provided). I have tried to completely remove the application and re-install to no avail. I am constantly hit with this error. My one take away is that this is only happening on one machine and all the other machines are operating normally. Was wondering if there is a setting I am missing or other issue. Thank you for all your assistance.
Mike
Expected behavior:
observed behavior:
current steps needed to get it working:
environment details:
It's possible to install option add install like a service?
We want use this tool in environment for managing computers but don't want user know this is installed on his computers.
Hello
I have loaded the admx files, and put in the desired settings. I put in allowed entities as a group in the format domain\allow_group_name.
However, when I log into a server with this installed, where the user is not a member of this group, its still allowed to elevate its rights to admin.
The Deny entitites works just fine with this setup; domain\deny_group_name
I'm not sure if this is a bug or working as intended, but if its supposed to work like this, it should be documented, and the use of Allowed Entities should be further explained
When I ingest the ADMX with Intune it gives an error that the category was not defined.
I tried several adjustments to the file, but it kept failing.
Thanks @pseymour for this great piece of software! With users working from home, it would be great ship syslog to remove server but using TLS instead of plaintext. Online Logging platform like Splunk, Sumologic or other ELK often provide syslog endpoints but they are all in TLS. The message standard is the same as 5424, but with a TLS variant: https://tools.ietf.org/html/rfc5425 (default port is 6514)
SyslogNet seems to support it: https://github.com/emertechie/SyslogNet/blob/master/SyslogNet.Client/Transport/SyslogEncryptedTcpSender.cs
Or I can try to implement it and do a PR if you are open to the idea. Thanks!
At the moment, service start and stop events get logged as "MakeMeAdmin", but events from the service get logged as "Make Me Admin". It would be nice to make these consistent and use one source name.
Suggested change is to change the SourceName defined in ApplicationLog.cs from "Make Me Admin" to "MakeMeAdmin" and add a ServiceStartStop entry to EventID.cs which covers the built-in service start and stop events:
/// <summary>
/// The built-in service functionality uses Event ID 0 to log service start/stop events.
/// </summary>
ServiceStartStop;
A pull request #9 has been created which includes this change.
Hi, I want to help you with the german translation. Could you send me the files to do so?
Hi,
Just wondering there any way to monitor end-user who use make me admin for temporary admin rights, such as computer name, username, time and duration. The reason I'm asking is looking a way to provide a report for auditing to track how many end-user using temporary admin rights.
Many thanks
Add an option to log information about elevated processes. Logging should be available either while a user is administrator, or always.
Hi,
First of all, thanks for sharing this code!
I see there is still activity, but the last release (version 2.3) already dates from 2019. Are there any plans to create new releases?
Hi,
I came accross this when looking for a solution to the local admin problem. I was curios about how this project is secure, so that somebody cannot get admin rights who is not allowed to.
I quickly looked at the codebase and have these questions:
IAdminGroup has a bool UserIsAuthorized(string[] allowedSidsList, string[] deniedSidsList) method, isn't it insecure if the caller specifies the conditions which should be checked?EncryptedSettings for? It is protected by ProtectedData-API using Machine scope. As far as I understand the documentation, any account locally on the machine can encrypt and decrypt that data. So the encryption is useless?Please do not take my questions as criticism. Seems to be a simple way to grant temporary local admin rights. Was just looking if the systems could be compromised by an attacker.
I uninstalled make me admin today. but after a reboot My admin rights are still not restored... what can I do??
I installed verion MakeMeAdmin 2.3.0 x64 of Make me admin on a Swedish Windows 10 1909 but I do not get it not to work with the attribute "Allowed Entities" when I start the application so I never get up the choice "Grant me admin..." but the "Automatic Add Allowed" attribute works fine. I have tried to enter only userid, [email protected], sid but nothing helps do you have any tips that can help me?
Just wondering if there's a way to get the log file of the users that granted admin right which consists of:
Username, duration time between time admin granted and time when admin revoked.
Issue
After granting rights using MakeMeAdmin and rebooting the machine the administrator rights will be kept indefinitely until MakeMeAdmin is launched again.
Possible solution
Since the service does not retain its state after rebooting I suggest completely removing the administrator rights when the MakeMeAdmin service is first launched upon boot.
I am trying to test out the Remote Request option and don't seem to be having any luck. I don't see any documentation exactly on how this functionality is supposed to work so looking for a little more details.
Implement a system that allows users to renew their administrator rights a specified number of times.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.