Install and Configure MakeMeAdmin Settings with PowerShell

MakeMeAdmin is a great tool for instances where IT staff need to share administration of Windows PCs with end users. It works sort of like sudo on Linux and allows non-admin accounts to elevate themselves to admin when needed. Windows UAC can do this too, but that requires creating a second account with admin privilege that users must remember a separate password for. And there is nothing stopping users from logging in to the system with the privileged account and using the admin all the time. MakeMeAdmin allows users to elevate privilege to admin when needed with less friction. Minimizing friction to privileged access when needed removes incentive for lazy users to use admin when not needed.

While MakeMeAdmin is a good solution to share admin access when needed, in keeping with the principle of least privilege, I recommend trying to accommodate user needs without admin access when possible. I have many times edited the privileges on a software’s folder in “C:\Program Files” to allow non-admin users modify access and fix applications that appear to require admin. Why do so many applications save config to a location that standard users can’t modify? I can only guess that the developer never tested with a non-admin account. If you can, understand what accesses an application needs and just enable those access to the user or users’ group and full admin access will not be needed. While MakeMeAdmin works well, it stores its own config in the Windows registry which makes it some work to setup manually. This registry key specifically: ‘HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin’

You can see all the MakeMeAdmin configuration options for the registry here: https://github.com/pseymour/MakeMeAdmin/wiki/Registry-Settings

These are the basic options that want to configure if nothing else. Most are self-explanatory. ‘Allowed Entities’ are the user accounts that are allowed to use MakeMeAdmin.

Allowed Entities ‘HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin\Allowed Entities
Set a MultiString value containing the user accounts that should be allowed. If using domain accounts remember to add the domain name prefix: i.e. DomainName\UserName.

Admin Rights Timeout
‘HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin\Admin Rights Timeout’
This is a DWord value. Set a number in minutes.

Remove Admin Rights on Logout
‘HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin\Remove Admin Rights On Logout’
This is a DWord value. Set to 1 for enable or 0 for disable.

Allow Remote Requests
‘HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin\Allow Remote Requests’
This is a DWord value. Set to 1 for enable or 0 for disable.

Some PowerShell is useful to quickly add, modify, and remove these registry settings. If you are using Chocolatey or other package manager, just add the install command to the configuration script. Thanks to the talented Sam Dao, who made some improvements to my original code below.

Add MakeMeAdmin Users

while (!$MMAUser) {
	$MMAUser = Read-Host -Prompt "Enter Username [$MMAUser] "
}

#If the path does not yet exist, create the registry keys. When you call this command, it ERASES the current registry key so we cannot get the previous entries. So only do this if it doesn't exist.
if(!(Test-Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin')){
    New-Item -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College' -Force
    New-Item -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Force
}

#Gets all the current allowed users from the registry key, puts them into an array.
$key = @(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin').('Allowed Entities')

#If there is at least one administrator.
if($key.Count -ge 1){
    #Initialize a new array.
    $newvalues = @()

    #For each user in the key...
    for($i = 0; $i -le $key.Count - 1; $i++){
            if($key.Count -eq 1){
                $newvalues += $key
            }
            else{
                $newvalues += $key[$i]
            }
    }

$newvalues += $MMAUser

    Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Name 'Allowed Entities'

    New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Name 'Allowed Entities' -PropertyType MultiString -Value $newvalues -Force

    Write-Verbose "New list of Allowed Entities `n" -Verbose
    $newvalues | Format-List

List Current MakeMeAdmin Users if(!(Test-Path ‘HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin’)){ Write-Warning “Could not detect MakeMeAdmin registry key, please make sure MMA is properly installed and try again.”; Exit }

$key = @(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin').('Allowed Entities')
Write-Host "`nAllowed Users:"

$key | Format-List

Remove MakeMeAdmin Users

while (!$MMAUser) {
	$MMAUser = Read-Host -Prompt "Enter Username [$MMAUser] "
}

    #Tests to see if make me admin is installed and configured properly by checking the path... if the path doesn't exist then the program hasn't been installed.
if(!(Test-Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin')){
    New-Item -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College' -Force
    New-Item -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Force
}

#Gets all the current allowed users from the registry key, puts them into an array.
$key = @(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin').('Allowed Entities')

#Initialize array to store names already present in registry.
$newvalues = @()

foreach($value in $key){ if($value -notlike $MMAUser){ $newvalues += $value } else{ Write-Warning “Removing $value from list.” Remove-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin’ -Name ‘Allowed Entities’ New-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin’ -Name ‘Allowed Entities’ -PropertyType MultiString -Value $newvalues -Force

Write-Verbose "New list of Allowed Entities `n" -Verbose
$newvalues | Format-List
    }    }

Set other MakeMeAdmin Settings #Admin Rights Timeout set to 15 minutes. #Remove Admin Rights On Logout set to enabled #Allow Remote Requests set to disabled New-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin’ -Name ‘Admin Rights Timeout’ -PropertyType DWord -Value 0x0000000f -Force New-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin’ -Name ‘Remove Admin Rights On Logout’ -PropertyType DWord -Value 00000001 -Force New-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin’ -Name ‘Allow Remote Requests’ -PropertyType DWord -Value 00000001 -Force

Set a Scheduled Task to remove MakeMeAdmin Users in a Number of Days #Create a scheduled task to remove all MakeMeAdmin access in a number of days with a default value of 30 days. If a user enters 0 days, remove MakeMeAdmin access immediately.

$daysUntilExipration = Read-Host -Prompt "Enter Days until expiration [30] "

if (!$daysUntilExipration) {
    $daysUntilExipration = "30"
}

if ($daysUntilExipration -eq "0" -or $daysUntilExipration -eq 0){
    Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Name 'Allowed Entities'
}
else {
$user = "SYSTEM" 

    $action = New-ScheduledTaskAction -Execute 'REG DELETE' -Argument '"HKLM\SOFTWARE\Policies\Sinclair Community College\Make Me Admin" /V Allowed Entities /F'
    #Get current date + days
    $startTime = (get-date).AddDays($daysUntilExipration).ToString("MM-dd-yyyy")
    $trigger = New-ScheduledTaskTrigger -At $startTime -Once
    Unregister-ScheduledTask -TaskName "expireMMA" -Confirm:$false -erroraction 'silentlycontinue'
    New-ScheduledTaskPrincipal -UserId SYSTEM -RunLevel Highest
    Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "expireMMA" -Description "Expire Make Me Admin Accesses." -user $user -RunLevel Highest
}

Putting It all Together. Set-MMA.ps1 #Requires -RunAsAdministrator

function Print-Options{
	Write-Host "`nMMA CLI Interface`n1. Install-MakeMeAdmin`n2. Add-User`n3. Remove-User`n4. Get-Users`n5. Schedule-Expiration`n6. Exit"
}

Print-Options
$choice = Read-Host "`nPlease select one of the options listed above using their number."

Remove-Variable Hostname -ErrorAction Ignore
Remove-Variable Target -ErrorAction Ignore

$MMAUser = $args[0]


if(($choice -eq 2) -or ($choice -eq 3)) {
	while (!$MMAUser) {
		$MMAUser = Read-Host -Prompt "Enter Username [$MMAUser] "
	}
}

function Install-MMA{
	try{choco install makemeadmin}
	catch{Write-Warning "An error occurred when attempting to install MakeMeAdmin with chocolatey. Make sure choco is installed and try again."; Exit}
}

function Add-User{
	#If the path does not yet exist, create the registry keys. When you call this command, it ERASES the current registry key so we cannot get the previous entries. So only do this if it doesn't exist.
	if(!(Test-Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin')){
		New-Item -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College' -Force
		New-Item -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Force
	}

	#Gets all the current allowed users from the registry key, puts them into an array.
	$key = @(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin').('Allowed Entities')

	#If there is at least one administrator.
	if($key.Count -ge 1){
		#Initialize a new array.
		$newvalues = @()

		#For each user in the key...
		for($i = 0; $i -le $key.Count - 1; $i++){
				if($key.Count -eq 1){
					$newvalues += $key
				}
				else{
					$newvalues += $key[$i]
				}
		}
	

   $newvalues += $MMAUser

		Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Name 'Allowed Entities'

		New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Name 'Allowed Entities' -PropertyType MultiString -Value $newvalues -Force

		Write-Verbose "New list of Allowed Entities `n" -Verbose
		$newvalues | Format-List

}
}

function Get-Users {

	if(!(Test-Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin')){
		Write-Warning "Could not detect MakeMeAdmin registry key, please make sure MMA is properly installed and try again."; Exit
	}

	$key = @(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin').('Allowed Entities')
	Write-Host "`nAllowed Users:"

	$key | Format-List


}
function Remove-User{

	#Tests to see if make me admin is installed and configured properly by checking the path... if the path doesn't exist then the program hasn't been installed.
	if(!(Test-Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin')){
		New-Item -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College' -Force
		New-Item -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Force
	}

	#Gets all the current allowed users from the registry key, puts them into an array.
	$key = @(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin').('Allowed Entities')

	#Initialize array to store names already present in registry.
	$newvalues = @()
	
   foreach($value in $key){
		if($value -notlike $MMAUser){
			$newvalues += $value
		}
		else{
			Write-Warning "Removing $value from list."
		}
   }

	Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Name 'Allowed Entities'
	New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Name 'Allowed Entities' -PropertyType MultiString -Value $newvalues -Force
  
	Write-Verbose "New list of Allowed Entities `n" -Verbose
	$newvalues | Format-List


}

function Add-expireMMA-Task {

	$daysUntilExipration = Read-Host -Prompt "Enter Days until expiration [30] "

	if (!$daysUntilExipration) {
		$daysUntilExipration = "30"
	}

	if ($daysUntilExipration -eq "0" -or $daysUntilExipration -eq 0){
		Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Sinclair Community College\Make Me Admin' -Name 'Allowed Entities'
	}
	else {
		$user = "SYSTEM"
		$action = New-ScheduledTaskAction -Execute 'REG DELETE' -Argument '"HKLM\SOFTWARE\Policies\Sinclair Community College\Make Me Admin" /V Allowed Entities /F'
		#Get current date + days
		$startTime = (get-date).AddDays($daysUntilExipration).ToString("MM-dd-yyyy")
		$trigger = New-ScheduledTaskTrigger -At $startTime -Once
		Unregister-ScheduledTask -TaskName "expireMMA" -Confirm:$false -erroraction 'silentlycontinue'
		New-ScheduledTaskPrincipal -UserId SYSTEM -RunLevel Highest
		Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "expireMMA" -Description "Expire Make Me Admin Accesses." -user $user -RunLevel Highest
	}
}

switch($choice){
	1{
		Install-MMA
	}
	2{
		Add-User
	}
	3{
		Remove-User
	}
	4{
		Get-Users
	}
	5{
		Add-expireMMA-Task
	}
	6{Exit}
}

https://github.com/pseymour/MakeMeAdmin/wiki/

https://github.com/pseymour/MakeMeAdmin/wiki/Registry-Settings