We stay on the common known AGDLP concept, also known as AGLP depending on the situation. We create an Account (A), we make it a member of a AD Global Group (G), we integrate this group into the Local Group (L) Administrators on the machine and grant this group administrative Permissions (P), by making it a member of the administrators.
We will create an individual security group and user account for each system. The user we create is a member of the individual group and is restricted to logon to the machine specified. The user account is disabled by default.
We will use group policy to integrate this group as a member of the local administrators.
Everytime you need administrative rights on a target machine, you run 12beAdmin, type in the computername of your target and 12beAdmin will generate a random password, enable the account and will ask for an expiration time. This can be selected by dropdown or typed in manually. Now you can use this account for the specified time, until the account expires.
12beAdmin is 100% Powershell scripting. We are running on the cmdlets from the RSAT tools Active Directory Users and Computers and some general ones. The UI is build on XAML. No binary executable, no hidden code.