Safeguard Privilege Manager for Windows 4.4

Using the Self-Service Elevation Request Settings Wizard Selecting how users access the request form Customizing self-service request email messages Using self-service notifications Using the Self-Service Elevation Request Processing Wizard Using the Console Email Configuration screen

Configuring temporary session elevation Configuring privileged application discovery Deploying rules

Using the Create GPO with Default Rules Wizard Using the Group Policy Management Editor Using the Create Rule Wizard

Getting started Creating file rules Creating folder path rules Creating ActiveX rules Creating rules for Windows Installer files Creating rules for script files Using Active Directory user groups Using validation logic Granting/denying privileges Differentiating security levels

Managing rules Testing rules

Removing local admin rights Reporting

Elevation Activity Report Blacklist Activity Report Rule Deployment Report Instant Elevation Report Temporary Session Elevation Request Report Temporary Session Elevation Requests Report Rule Details Report Advanced Policy Settings Report Generating and using reports Using the Applied Filters Wizard Using the Scheduled Reports Details Wizard Using the Resultant Set of Policy Wizard

Client-side UI Customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program

Installing the client

Installing Privilege Manager > Installing the client

Once the Console is installed, you can deploy Clients to the computers on your domain in one of the following ways:

Client Deployment Settings Wizard: Deploy or uninstall clients on your computers in one pass. Available only in Privilege Manager Professional and Professional Evaluation editions.

Client Windows Installer file: Use PAClient.msi to install the Client locally on a computer (administrative privileges are required).
Microsoft Group Policy Management Console: Use login scripts or other software deployment techniques for mass-deployment.

Using the Client Deployment Settings Wizard

Please refer to the Privilege Manager for Windows Quick Start Guide for instructions on using the Client Deployment Settings Wizard.

Using the Client Windows Installer file

To use the Client Windows Installer file to install the Client locally on a computer:

To locate the Client MSI setup file, open the Console.
Click Additional Resources > Open Client Installation Folder. The Client file appears in a browser window.

Check that the Client is successfully deployed onto the computer. Ensure that:
- The CSEHost.exe process is running.
- The Client record is shown in the Add/Remove Programs tool.
- The Privilege Manager icon and the right-click menu are available in the system tray on the client computer.
New GPO rules created by Privilege Manager are applied to Client computers following a group policy update.

Using the Group Policy Management Console

To install Clients on your domain via the Microsoft Group Policy Management Console (GPMC):

Copy the PAClient.msi file to a network share that can be read by all users. Or, just share the file folder (a share with the PAClient.msi file is configured automatically upon Server configuration).
1. To locate the Client MSI setup file, open the Console.
2. Click Additional Resources > Open Client Installation Folder. The Client file appears in the browser window.

Right-click Group Policy Objects and select New from the pop-up menu to open the Group Policy Management Console on the Server to create a new GPO.
Enter a name for the new GPO and click OK.
Right-click the new GPO and select Edit to open it.
In the Group Policy Management Editor, select Computer Configuration > (in Windows Server 2008) Policies > Software Settings > Software installation. In the right pane, right-click the new GPO, and select New > Package.
1. If the client distribution GPO is computer-based (defined under Computer Configuration), enable the Always wait for the network at computer startup and logon policy (located in Computer Configuration > (in Windows Server 2008) Policies > Administrative Templates > System > Logon). Otherwise, the Client installs after the second reboot of the client computer.
2. If the client distribution GPO is user-based (defined under User Configuration), then the Client installs after the first logon.
In the dialog box that appears, browse to the PAClient.msi file on the network share where it was copied to.
1. Use the File name field to specify the Client location in the Universal Naming Convention (UNC) format:
\\computername\sharename\filename.msi
1. Click Open.
Select Assigned in the Deploy Software dialog box.
Assign the new GPO to a domain or OU.
1. To assign it to a domain, right-click the domain in GPMC and select Link an Existing GPO.
2. Select the GPO in the dialog box and click OK.
Check that the Client is successfully deployed onto the computer. Ensure that:
- The CSEHost.exe process is running.
- The Client record is shown in the Add/Remove Programs tool.
- The Privilege Manager icon and the right-click menu are available in the system tray on the client computer.
New GPO rules created by Privilege Manager are applied to Client computers following a group policy update.

Upgrading

Installing Privilege Manager > Upgrading

Privilege Manager components are only compatible with other components of the same version. Upgrading ensures that all of the GPO rules and reporting configurations you created with earlier versions will still be available.

To upgrade prior versions:

Run the Privilege Manager setup file (PAConsole_Pro.msi) and follow the Privilege Manager Console Windows Installer.
1. If a message displays, Some files that need to be updated are currently in use, click OK.
2. Once you complete the upgrade, exit the installer.
Open the Console and if necessary, apply a license. For more information, see Opening the Console and Applying a license.
If an error message notifies you that the ScriptLogic PA Reporting Service has the wrong, manual, startup type, complete one of the following steps:
- Go to the Windows Services Console and set the ScriptLogic PA Reporting Service to start automatically.
- Click OK in the message window to reset the service to start automatically. If the restart fails, click NO, and then restart the Privilege Manager for Windows Console.
Note: The automatic Server upgrade may be unavailable if the ScriptLogic PA Reporting Service is not running.
If the Console detects that the Server component is installed on a remote computer, it instruct you to launch it on the remote computer.
If a message prompts you to upgrade your Server and database (installed locally with the reporting functionality of some prior Privilege Manager versions):
1. Click OK and follow the Privilege Manager Server Configuration Wizard to complete the following steps:
  1. Install missing SQL Server components from the Internet.
  2. Back up your database.
  3. Configure a shared folder for client mass deployment.
2. Click Finish to save the results and exit the wizard.
3. If a message displays indicating that the Privilege Manager Host Service that needs to be updated is currently in use, click OK to ignore the message.
4. To upgrade later, open the Privilege Manager Server Configuration Wizard and confirm that you are running the upgrade process before you configure the Server.
5. Until you have upgraded the Server and database, you will have problems installing the Server locally.
6. For more information, see Configuring the Server.

Re-configure your Client data collection settings, if necessary.
1. Select a GPO from the Group Policy Settings section.
2. Switch to the Advanced Policy Settings tab.
3. Double-click Client Data Collection Settings to configure settings using the Client Data Collection Settings Wizard. For more information, see Configuring Client data collection.
After you upgrade, By Digital Certificate rules will be saved as By Path to the Executable rules.
To upgrade Clients, install the newer version over the older one. For more information, see Installing the Client.

Uninstalling

Installing Privilege Manager > Uninstalling

You must have administrative privileges to uninstall the Console and Client from a local computer.

To uninstall Privilege Manager components:

Use the Windows Control Panel tool. The uninstaller completely removes all of the data.
Once Privilege Manager for Windows is removed, its rules no longer apply.

For more information, see Removing the Server.

Configuring client data collection

Available only in Privilege Manager Professional and Professional Evaluation editions.

Run the Client Data Collection Settings Wizard so that you can compile reports, support discovery, and launch on-demand features.

Using the Client Data Collection Settings Wizard

Client data collection settings only apply on computers running a Client.

Before configuring Client data collection settings, you must configure a Server on your domain. For more information, see Configuring the Server.

To use the Client Data Collection Settings Wizard to set up, modify, or discard settings:

Open the wizard by completing one of the following steps:
- Open the Client Data Collection Settings Wizard from the Setup Tasks section. It will always show the default settings.
- On the Advanced Policy Settings tab of the target GPO, double-click Client Data Collection Settings. The changes made within the wizard are saved here.

Enable the Client Data Collection Settings on the State tab.
- Choose Enabled, to ensure the settings apply to the selected GPO.
- Choose Not Configured, to enable child GPOs to inherit settings from their parent.
Define the Server on the Settings tab. This Server receives data from the Clients of the target GPO.

Click the Browse button to locate a Server through Active Directory.
Use the Test button to verify the selected Server's connection to the ScriptLogic PA Reporting Service. If the test fails, check to see if there are network or firewall problems.
Click the Clear the server name link if you want to configure another Server. The displayed service remains installed.

Note: To prevent data transfer issues between the Server and linked Clients, check that the port you have selected is open for incoming connections on the Server. Port 8003 is the default port for Server installation.

Use the Advanced Settings on the Settings tab to set these data transfer parameters:

Maximum Sleep Time (in seconds) sets the stagger time period within which every Client sends its data to the data collection service. This value is set to 60 seconds by default.
Send Retries defines the number of retries that are made if an attempt to connect to the web service fails. This number is set to 1 by default.
Network Timeout (in seconds) sets how many seconds a Client should wait to stop sending data if it does not reach the target. This value is set to 600 seconds by default.
Maximum Records Per Transaction indicates how many portions of cached data the Client sends. This value is set to 0 by default, which indicates an unlimited number. To reduce the load on the Server side, you can increase the value to 1 or 2. This may be useful on large networks where each client computer generates many records and a Client may not be able to connect to the data collection service because it is too busy processing data collection transactions.

Click Next to use Validation Logic to target the settings to specific client computers or user accounts within the GPO, or click Finish to save your settings and quit.

If an error message indicates that the target GPO is not selected:
1. Click OK to close the message window.
2. Open the GPO tab and select the desired GPO.
Click Save on the GPO toolbar to save the new settings.

Adjust the parameters that Clients use to send their data to the ScriptLogic PA Reporting data collection web service to your specific needs. The web service supports collecting data from a significant number of Clients running concurrently.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Safeguard Privilege Manager for Windows 4.4 - Administrator Guide