We stay on the common known AGDLP concept, also known as AGLP depending on the situation. We choose an Account (A), we make it a member of a AD Global Group (G), we integrate this group into the Local Group (L) Administrators on the machine and grant this group administrative Permissions (P), by making it a member of the administrators.
We will create an individual security group for each system inside our AD like %computername%-Admins. The user we choose will become a member of the individual group. The users password will be reset and the group membership will be cleaned up after ending the script.
We will use group policy to integrate this group as a member of the local administrators.
Everytime you need administrative rights on a target machine, you run 12beAdmin, type in the computername of your target and 12beAdmin will generate a random password for your „%username%.someending“ and make this account a member of the %computername%-Admins group for a (short) period of time.
12beAdmin is 100% Powershell scripting. We are running on the cmdlets from the RSAT tools Active Directory Users and Computers and some general ones. The UI is build on XAML. No binary executable, no hidden code.