lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
241 stars 20 forks source link

Just In Time Admin Privilege #166

Closed dwightchrute closed 2 years ago

dwightchrute commented 2 years ago

I have Just In Time configured and everything is working fine BUT after the time membership expires and user get removed from AD group,they still have local admin rights until log off/on.Has anyone run into this issue? I've left this computer online for 6 days and still have local admin right.JIT access expired 15 min after it was activated and for 6 days until i log off/on,it had local admin rights.Tried token refresh ,gp update etc and nothing works.

ryannewington commented 2 years ago

Hi @dwightchrute

This article will explain that is going on here

https://docs.lithnet.io/ams/help-and-support/support-articles/kb000002

dwightchrute commented 2 years ago

@ryannewington thanks -i understand this is a windows thing and not a AMS ,but i was thinking why does it let you set an "expiration time" when configuring JIT if it's not going to matter..

ryannewington commented 2 years ago

It might be more useful to think of the expiry time as the window of time they have to claim admin rights, as opposed to thinking of it restricting admin rights to that window of time.

It's only the user's current logon session that retains the access if they aren't logged off. New connections, inbound network-based connections, etc will not have admin rights after the JIT expiry time.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.