Dealing with local admin rights on a (non-)persistent VDI.

Use case

Recently I had to work on an use case where “VMware Writable Volumes” on VMware Horizon non-persistent VDI came into play for research and development users.
The Writable Volume is used for installing developer applications with personlized libraries or even self developed applications.

There is really an easy way to give users local administrator privileges based on Group Policies, but this means that all the user(s) in a certain Active Directory group become local administrator on all the non-persistent virtual desktops. In my opinion could this lead into a security issue and not desirable. How can I make a user only local administrator on the virtual desktop where he logs on to?

No out-of-the-box solution?

Strange enough, but there is no out-of-the-box solution avaiable to make this work. For example: you are not able to work with “Group Policy – Item-Level Targeting”, because you can’t match a specific user to a random non-persistent VDI machine.

My solution

If I code something, I build it with PowerShell. The problem is, that you cannot use privilege elevation on a ps1 (PowerShell) file, you can only target exe (executable) files.
Running powershell.exe in elevated mode is of course not a good idea.

I found a way to covert powershell files (ps1) to executables (exe) via PS2EXE-GUI application. The program can be found on this github page.
After you have create your executable, you could launch it at logon with privilege elevations via VMware Dynamic Environment Manager (DEM).

Follow the steps below to create an executable from a powershell file and use VMware DEM to run this executable during the logon process of a user which is allowed to be local administrator.

Step 1

Copy the below PowerShell one-liner in your favorite text editor and save it as a ps1 file in for example C:\Temp\SetLocalAdmin:

Start-Process powershell -WindowStyle Minimized -Verb runAs -ArgumentList "Add-LocalGroupMember -Group `"Administrators`" -Member `"$env:userdomain\$env:username`""

Step 2 (optional)

Download or create an icon file which expresses the use of the executable we are going to make and place it in C:\Temp\SetLocalAdmin as well.

Step 3

Download the complete PS2EXE-GUI application from github and start “Win-PS2EXE.exe”.

PS2-EXE example

It shoud now looks like above screenshot, when done click on the “Compile” button.

Compiling your PS1 file to a EXE file

Your executable will be created, hit “enter” when compling is finished.

Step 4

Copy the executable to the VMware DEM’s config folder (not in General), but I have a directory called “DEM_Additions” > “SetLocalAdmin” > “SetLocalAdmin.exe”. At least it the directory needs to have share permissions for the user(s) which must be local administrator on the non-persisten VDI machines.

Step 5

Open your VMware DEM Console en go to the “User Environment” tab and left in the menu to “Privilege Elevation”.
Create a new Privilege Elevation for the executable we created, see below two screenshots from my example (Settings and Conditions tab):

DEM Console – Privilege Elevation – Settings Tab

DEM Console – Privilege Elevation – Conditions Tab

By doing this you are allowing the exectuable to run as administrator and those permissions are necessary to add the user to the local administrator group of the non-persistent VDI machine.

Step 6

Now we need to take care, that during the logon process of the user it become an local administrator. I have tried to run it as an “logon task” within VMware DEM, but it kicks in to early, because the “privilege elevation” didn’t processed yet. My solution is create a “shorcut” for the executable and place it in the “startup” folder and that works like charm. See the below screenshots from my shortcut settings and conditions tab:

DEM Console – Shorcuts – Settings Tab

DEM Console – Shortcuts – Conditions Tab

Result

Try now to logon on your non-persistent VDI machine and see if the executable does his job and make your local administrator.
A video of the result will be posted later. My homelab is currently under construction.

2 replies

Comments are closed.