Safeguard Privilege Manager for Windows 4.4 - Administrator Guide

Installing Privilege Manager

To complete the Privilege Manager installation, you need to install the Console, configure the Server, and install the Client. Then you can start using Privilege Manager based on your Windows rights within the Group Policy Management Console. If you do not have enough rights on an object, you are prompted that access is denied.

System requirements

Please refer to the Privilege Manager for Windows Quick Start Guide for the list of System Requirements.

Installing the console

The Console must be installed on a computer that is joined to the domain and run under a user account that has the rights to change at least one GPO. The Console displays GPOs based on the security context of the user that is logged on.

Using the Console Windows Installer file

Please refer to the Privilege Manager for Windows Quick Start Guide for instructions on using the Console Windows Installer file.

Opening the Console

To start the Privilege Manager Console on the host:

1. Go to Start > All Programs > Quest > Privilege Manager > Privilege Manager, or

2. Select the Privilege Manager shortcut icon on the Start menu.

Applying a license

You can apply a license upon initial start-up or later. Otherwise, if your trial has expired, you’ll only be able to access the Community edition.

To apply a license when you start the Console for the first time:

1. A window appears, asking you to apply a license.
2. Click Yes if you are going to apply a Privilege Manager Professional or Professional Evaluation license. Browse to the license file and click Open.

   Or,

3. Click No to access the Privilege Manager Community Edition that does not require a license.

To apply a license in the Console after initial start-up:

1. Click Help > About in the menu.

2. Click the Licenses tab.
3. Click the Apply License File button.
4. Highlight the product name and click the Update License button.
5. Browse to the license file and click Open and then OK.
6. If you are upgrading, you may need to follow the additional steps detailed in the Upgrading section.

Viewing GPOs

To view the GPOs that you have access to:

1. Switch from the Setup Tasks > Getting Started window to the Group Policy Settings > All GPOs window.

   The GPOs you have access to appear.

Selecting target domains

The Privilege Manager Console is initially configured to allow you to manage the privilege Elevation settings for the domain to which the local computer belongs. In addition, the Console also allows you to manage other domains in your forest.

For Windows Privilege Manager to work across multiple domains within a single forest, the appropriate domain permissions must be configured and an Enterprise Admin Active Directory account must be used with the Privilege Manager Console. The Windows user account must be include the following:

• SQL Server System Administrators role
• db_owner access to the master database
• db_owner access to the PAReporting database (required for upgrades)

For complete information about the database space requirements, see Database Planning.

To customize the number of your forest’s domains available in the Group Policy Settings pane:

1. In the Getting Started section of the navigation pane, select Setup Tasks and then click Select Target Domains in the right pane.

2. In the window that appears, specify the domain names, as applicable.

3. (Optional) Click the Select DC button to open the Select Domain Controller dialog box. Specify the exact domain controller that the Console will communicate with.

   The list of the domains and GPOs change accordingly.

   Note: You can create the GPO rules only on a domain where you have write permissions for the GPOs.

Installing a second Console

You may need to use this scenario if you need to manage Privilege Manager GPOs from an MS Windows 10 client that is not the same server as the Privilege Manager Console/Server.

Note: There is no GPO locking mechanism so ensure that the same GPO is not edited at the same time from different consoles. Changes can be lost when multiple saves occur.

To install a second Console, you must meet the following requirements:

• Use same license as for the first Console.
• Use same version of PM Console as the first Console.
• Permissions: User running the remote Console must be a member of the super user group specified during the setup of the first Privilege Manager Console/Server. User must also have permissions to edit GPOs.

To install a second Console:

1. Install the second Console on another machine.

2. Apply the same license that is used on the first Console.

3. Open the Console and go to Setup Tasks > Configure a server.

4. Click Browse to choose an existing Privilege Manager Server. In the box at the bottom, type the name of the Server.

5. To close the dialog, click OK, and then click Test to ensure a successful connection.

6. Click OK to finish.

7. Optional.If using Temporary Session Elevation passcodes:

   1. On the original Privilege Manager Server, locate and copy this file: C:\Program Files (x86)\Quest\Privilege Manager\Console\pmtse.ske.
   2. On the second Console, locate the same file in same location.
   3. Rename it to pmtse.ske.old.
   4. Copy the pmtse.ske from the original Privilege Manager Server to the second Console.
   5. Close and re-open the second Console.

Configuring the server

Available only in Privilege Manager Professional and Professional Evaluation editions.

After installing the Console, a Server must be configured. Configuring the Server sets up the back-end services needed to automatically deploy the Client, as well as enable reporting, discovery and remediation.

Using the Server Configuration Wizard

Please refer to the Privilege Manager for Windows Quick Start Guide for instructions on using the Server Configuration Wizard.

Modifying the Server

You must configure the settings for the Server on the Console where it was installed. However, any administrator with the rights to a specific GPO can update its data collection settings. Also, the administrator running the Console can view reports of data collected by any Server by selecting Browse and the preferred Server from the Privilege Manager Server Configuration screen (under Setup Tasks > Configure a Server).

If you need to change the reporting database settings, i.e., connect to another instance, modify the authentication parameters, or set up a new data collection service:

1. Use the Privilege Manager Server Configuration screen to remove the Server.
2. Restart the wizard to reinstall the service and set the SQL database settings.

Removing the Server

If you do not want to use a Server, you can clear its settings and/or remove it from a host computer:

1. Open the Privilege Manager Server Configuration screen (under Setup Tasks > Configure a Server).
2. Select Clear the server name to clear the settings which the Console uses to connect to reporting information. The locally running Server will not be stopped or disabled. This will not uninstall the Server.

3. Click Remove the Privilege Manager Server from this computer to uninstall the Server from the local computer. When you remove the Server:
   • You stop the web data collection service.
   • The shared folder with the Client file is no longer shared.
   • The database does not receive data sent by the corresponding Clients until a new Server is installed, provided that it is installed within the network timeout parameters.

To remove a Server running remotely:

1. Connect to the computer that hosts the Server.
2. Remove the Server using the Privilege Manager Server Configuration screen.