Safeguard Privilege Manager for Windows 4.3

Product Licensing

Refer to the Privilege Manager for Windows Administrator Guide for information on editions and applying a license.

Each Privilege Manager license file is compatible with only a single major version of the product (ex.3.x or 4.x). This means existing 3.x licenses will not be valid after upgrading to a 4.x build.Therefore, existing customers are required to obtain a new license file via the License Assistance portal (https://support.quest.com/contact-us/licensing) in order to be properly registered after upgrade.

NOTE: Privilege Manager does not phone home for product licensing.

Installing the console

NOTE: The recommendation for multiple domains in a single forest is for each domain within the forest to host a completely separate installation of Privilege Manager.

The console must be installed on a computer that is joined to the domain and run under a user account that has the rights to change at least one GPO. The console displays GPOs based on the security context of the user that is logged on.

To complete the console installation, follow the Windows Installer through a series of dialog boxes:

Run the Privilege Manager setup file, PAConsole_Pro.msi.
The installer will check to see if your system is missing any of the required components. Please review the system requirements for Privilege Manager. A window will display and let you install any of the missing components.
- Click Yes to download and install a single missing component. A new notification window will display to install others, if necessary.
- Click Yes to all to download and install all the missing components with a single click.
- Click No to manually download the missing components. A dialog will follow, displaying the download links for the missing components. Install the components and then resume the installation.

Click the link and download the component.
Close the console setup notification window with the download link to .Net 4.0 Framework.
Install the component.

The initial dialog box is the installation Welcome. Click Next.
The License Agreement dialog box displays. Select I accept the terms in the License Agreement and click Next. Refer to the Privilege Manager Administrator Guide for more information on applying a license.
On the Destination Directory dialog box, select a destination folder. The installation path depends on the system architecture and defaults to: %PROGRAMFILES%\Quest or %ProgramFiles(x86)%\Quest. Click the Browse button to select a different installation path; however, accepting the default values is recommended. Click Next.
Click Install on the final installation dialog. Once the installation is complete, click Finish.

Configuring the server

Available only in Privilege Manager Professional and Professional Evaluation editions.

After installing the console, a server must be configured. Configuring the server will set up the back-end services needed to automatically deploy the client, as well as enable reporting, discovery and remediation.

To use the Privilege Manager for Windows Server Configuration Wizard to set up the server:

Start the Privilege Manager for Windows Server Configuration Wizard.
1. Open the console.
2. Under the Getting Started section of the left navigation menu, click Setup Tasks.
3. Select the Configure a server icon in the Basic Setup right pane.

The Privilege Manager for Windows Server Configuration screen will open.
1. Click the Browse button to locate a server via Active Directory.
2. Use the Test button to test the selected server's connection to the ScriptLogic PA Reporting Service. If the test fails, check to see if there are network or firewall problems.
3. Click the Clear the server name link if you want to configure another server. The displayed service will not be uninstalled.
Click Setup/configure the Privilege Manager Server on this computer to install a new server or configure one on the local computer.
The Privilege Manager for Windows Server Setup Wizard will open.
Set the port for the web service.
1. Click Reset to set the Port Number to its default. The ScriptLogic PA Reporting data collection web service listens for incoming data from the clients on port 8003, by default. The firewall must be configured to allow communication over any port you select.
2. Check the Add an application exception to the firewall for this service option to automatically add UDP and TCP rules (named ScriptLogic PA Reporting Svc) to the Windows Firewall exceptions list to allow inbound traffic for the service on the local computer.
Under the optional Server Email Notification Configuration section, select the server to use for email notifications of self-service requests and scheduled reports.

Fill in the following fields:

Host Name: Enter the SMTP Server name of the email account from which you are going to send your emails.
SMTP Port: Enter the port number.
SMTP User Name and Password: If necessary, enter the authentication information and check the SSL checkbox.
From Email: Enter the corresponding email.

Note: You must enter the SMTP Password each time you configure the server or you will receive an error.

Click Send Test Email to send an email to the account specified within the From Email field.
1. If Privilege Manager succeeds in sending the email, the corresponding message will display.
2. Log into an email program with the corresponding account and locate the sent email with Privilege Manager Test Email in the subject.

Click Next.Select an SQL Server instance to use for the PA Reporting database.

Select Download and install a local instance of Microsoft SQL Server 2008 R2 Express to have the Server Wizard install it. Then click Next.

Note: By default, the SQL Server installed via the console uses Windows authentication.

Select Use an existing SQL Server instance to instruct Privilege Manager to connect to an existing local or remote SQL instance (Microsoft SQL Server 2008 or Microsoft SQL Server 2014 is required) and then click Next.

If you are using a remote SQL database, follow these steps:

Enable TCP/IP protocol for the selected SQL Server instance;
Enable the console host to address the remote SQL Server; and
Allow the firewall to communicate between the SQL database and the console host on the port that the remote SQL server is configured to listen on.

Note: If a domain controller hosts the console, Microsoft does not recommend running a database on a domain controller computer. In this case, either connect to a remote SQL database instance or use another computer to install the console and download the SQL Server 2008 R2 Express software via the Privilege Manager for Windows Server Configuration wizard.

Set up a Super User group, credentials for the Data Collection Web Service Account, and the database service account.
1. Verify the default user group and user accounts will be granted administrative privileges in the Privilege Manager for Windows Reporting database. This group will be configured as the Super User group. If a different group is required, click the browse button to locate it via Active Directory.
2. In the Data Collection Web Service Account section, enter the password of the account that will be used to run the data collection service. This account requires local administrator rights.
3. Use the SQL Server Express Service Account section to enter a new account for the SQL Server service, if you selected the option to download and install a local instance of Microsoft SQL Server 2008 R2 Express.

Note: If you plan to use the configured server domain-wide, i.e., from other consoles run either by domain or organizational unit level admins, then ensure the provided Database Super User Group includes all the user accounts that may address the PAReporting database. Otherwise, a user that has no rights to the database will encounter an error.

Click Next to install a list of SQL Server Management Objects (SMOs) if the local computer is missing them. These prerequisites are required in order to connect to SQL Server instances on the network.
Select the existing SQL Server instance running remotely or locally, if you selected the option to use an existing SQL Server instance.
1. In the SQL Server Instance Name field, specify the name in the following format:
  
  SQLSERVER\INSTANCENAME
2. Use the button to view the server instances available on your network.
3. When using Windows authentication, ensure that the Windows account you are currently logged into the console:
  1. Is assigned to the system administrator server role on the specified SQL Server instance;
  2. Is a member of the db_owner role for the master database; and
  3. Is a member of the db_owner role for the PAReporting database, when you are upgrading a database previously created with the Privilege Manager for Windows Server Configuration Wizard.
  If you are targeting a remote SQL database, it must use Windows authentication for runtime access to data (although SQL authentication can be used for the database setup).
Click Next to install the prerequisites and launch the services.
1. During installation, a command prompt window may be shown for a short period of time.
2. Click OK and then Finish to exit the Privilege Manager Server Setup wizard.
To ensure proper functioning of the server, allow the following programs through the Windows firewall:
1. On the client computer: CSEHost.exe.
2. On the server host: PrivilegeAuthority.exe, which is configured by default during server configuration, provided that the firewall is turned on.

Installing the client

To use the Client Deployment Settings Wizard to install the Privilege Manager Client:

Start the Client Deployment Settings Wizard.
- To add the settings to any available GPO:
  1. Open the console.
  2. Under the Getting Started section of the left navigation menu, click Setup Tasks.
  3. Select the Deploy Client Wizard icon in the Advanced Configuration right pane. It will always show the default settings, or
- To change the settings for a specific GPO, double-click Client Deployment Settings on the Advanced Policy Settings tab of the GPO. The changes made within the wizard will be saved here.

Choose one of the following options:
- Not Configured: Enable child GPOs to inherit client deployment settings from their parent.
- Install Client: Install/upgrade client software.
- Remove Client: Remove client software (for versions 3.0 and higher).
- Unregister: Stop client software installation GPO settings from applying.
Click Next.
Define the server.

Click the Browse button to locate a server via Active Directory.
Use the Test button to test the selected server's connection to the ScriptLogic PA Reporting Service. If the test fails, check to see if there are network or firewall problems.
Click the Clear the server name link if you want to configure another server. The displayed service will not be uninstalled.

Click Next to use validation logic to target the settings to specific client computers or user accounts within the GPO, or click Finish to save your settings and quit.

If an error message indicates that the target GPO has not been selected:
1. Click OK to close the message window.
2. Open the GPO tab and select the desired GPO.

Click Save on the GPO toolbar to save the new settings.
Double-click Client Deployment Settings on the Advanced Policy Settings tab of the GPO to view the Client Deployment Settings.

Check that the client has been successfully deployed onto the computer. Ensure that:
1. The CSEHost.exe process is running;
2. The client record is shown in the Add/Remove Programs tool; and
3. The Privilege Manager icon and the right-click menu are available in the system tray on the client computer.
New GPO rules created via Privilege Manager will be applied to client computers following a group policy update.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen

Bitte w&auml;hlen Sie Ihr Produkt aus:

Damit wir Ihnen besser helfen können, geben Sie den Grund Ihres Chats an:

Empfohlene Lösungen für Ihr Problem

Safeguard Privilege Manager for Windows 4.3 - Quick Start Guide

Product Licensing

Installing the console

Configuring the server

Installing the client

Bitte wählen Sie Ihr Produkt aus: