Welcome to the KACE Privilege Manager for Windows Administrator Guide. This guide instructs system administrators on how to use Privilege Manager. Inside you will find in-depth instructions on how to prepare your environment for least privileged use, maintain a least privileged environment, run reports, and interface with Microsoft tools.
For more information, refer to these additional resources:
For system administrators:
For end users with the Privilege Manager client service installed on their computers:
Giving users administrator rights creates security risks but must be weighed against constant help desk calls for basic operations like updating Adobe Reader, Java, or simply changing the time zone on desktops.
Privilege Manager lets you grant selected privileges to users so they can update their own computers, reducing help desk calls while maintaining a secure network. By automating user privilege settings, Privilege Manager keeps users working; this enables you to focus on higher priority tasks, for exceptional resource and time savings.
As a system administrator, you can use Privilege Manager to elevate and manage user rights quickly and precisely with validation logic targeting technology. Use privilege elevation rules from the community, or create your own rules and allow administrator-level access to specific applications. You can also enable your end users to request elevated privileges for specific applications through self-service and instant elevation.
Privilege Manager is available in the following editions:
When reverting back to the Community edition, you will need to re-save all computer-based Group Policy object (GPO) rules as user-based. Computer-based rules will no longer work on the client-side once the trial expires.
There are three software components included with Privilege Manager: the console, server and client.
The Privilege Manager console, installed via PAConsole_Pro.msi, is a management application. It is installed on a domain computer (server/workstation) and is used to create and manage rules within the Group Policy. Any user who has permission to edit a GPO can use the console to set privileges.
The Privilege Manager server, installed via the console, is a service which has several functions. It can deploy the client, collect and report on data, and discover and process applications that require elevated privileges.
The Privilege Manager client, installed via PAClient.msi, is a service that runs on each client computer. It applies the rules created in the console by monitoring processes as they are launched on the client and elevates or lowers the privileges for processes that are configured to be monitored. This is done by injecting an administrative token into the process or revoking it.
Microsoft Active Directory and Group Policy are used to distribute Privilege Manager rules to client computers.
Privilege Manager can modify privileges only for a standard user account, not a guest account. Elevated privileges can be revoked even if the user is a local admin.