EPM-W, that way you can deal with the password necessity on the end-users endpoints, instead of a admin doing the work, you can just have a allow list for the own user to elevate the process.

PRA integration would work as well so the password could be inject credentials into the system.  Refer to KB0018748.  

Another idea would be to create an application and pass the credentials. Here is an example of SMSS KB0017273.

Hope this information helps.

Hello, thank you for you responses. I think I am unable to edit original post as I wanted to add some clarification. I see EPM is definitely one option, but there are some use cases where logged in user has to be member of local admin group or EPM agent can not be installed on the machine.   PRA integration is helpful for remote access use cases, this requirement is more for in-person/physical access to the machine 

EPM with Password Safe integration (if you are storing workstation Admin creds in password safe).

For the most part, EPM removes the need for Admin logon/membership.

For the edge case scenarios, we’ve also had customers ‘state’ local admin group memberships are necessary but have managed to work through most of those via EPM.

There are now a few options here that can be used for resolving your issues.

1. Just in Time Admin on 24.7. Make the user a temp admin while you help the users with the needed tasks and end the Admin session on the EPM Tool when done.

2. Password Safe integration, can allow to run a specific application in the context of a vaulted account that has local admin rights on the computer.
3. I have seen a customer using a QR code scanner for USB, make a QR Code of password in the morning and just scans it when needing to type it in. think 49$
4. If you have Jump Client on the machine and installs can be kicked off from a command shell

Then again I do not know the software but there are a few out there checking for the user being an admin also, but many of them have install switches to bypass the check. like oracle(miracle) -ignorePrereqs or something like that.

Thank you ​@Jens Hansen for providing these options.

I know I’m late to the party on this one, but I love my Yubikey, however, its worth noting there is a character limitation that you can place on a static password for a Yubikey. You would not be able to leverage a password with more than 38 characters.

As Jens stated with the QR code method, I have leveraged that process as well. The scanners for those are around the same price as a Yubikey and are only limited to the number of QR Codes you create, as to where Yubikey has a 2 slot limitation.

I’ve tried the jump client route and the itegration route, but my personal preference is yubikey… its always with me, I don’t have to launch into a product to access another machine throughout the day. I check out the password and save it to my Yubikey for the duration of its checkout and go admin happy.

If you are consistently logging into the same devices routinely you could leverage things like mRemoteNG and just save the password at the parent of the RDP list, just pray you never get a UAC prompt or something that you have to manually type the password out in. You could also leverage something like Keypass to perform the Autotype function. Few other apps that colleagues of mine over the years have used, but I don’t recall the name of them atm… as it never really drew much interest to me since the yubikey was super simple and ease of use.

So reality you could set your password policy to 39+ characters and they would have to remember whatever is left over, or the beginning, I would recommend the beginning because yubikey automatically performs a return key after typing.

However, if you don’t even want them to know the password the JIT or EPM process that was previously mentioned by Jens and Paulo. If you already have access to EPM I would recommend exploring either those 2 options, or a Challenge/response message method.