Chat now with support
Chat with Support

Safeguard Privilege Manager for Windows 4.3 - Administrator Guide

About this guide What is Privilege Manager? Installing Privilege Manager Configuring client data collection Configuring instant elevation Configuring self-service elevation Configuring temporary session elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI Customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program

Configuring instant elevation

Available only in Privilege Manager Professional and Professional Evaluation editions.

To grant on-demand administrative privileges to a group of trusted users and audit their actions, use the Instant Elevation Wizard.

Using the Instant Elevation Wizard

Before you configure instant elevation settings, ensure the following components are set up:

  1. The client is running on the computers you want to apply the settings to;
  2. The server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003); and
  3. Client data collection settings are enabled for the selected GPO.

To use the Instant Elevation Wizard to set up, modify, or discard privileges:

  1. Open the wizard:
    1. Open the Instant Elevation Wizard from the Setup Tasks section. It will always show the default settings, or
    2. Double-click Instant Elevation Settings on the Advanced Policy Settings tab of the target GPO. The changes made within the wizard will be saved here.

  1. Enable the Instant Elevation Settings on the State tab.
  1. Choose Enabled, otherwise the settings won't apply to the selected GPO.
  2. Choose Not Configured to enable child GPOs to inherit settings from their parent.
  1. Use the Groups tab to alter the settings. By default, users of the target GPO will automatically inherit the administrator's settings (BUILTIN\Administrators).
  2. Complete the advanced options in the Privileges and Integrity tabs.

  1. Click Next to use validation logic to target the settings to specific client computers or user accounts within the GPO, or click Finish to save your settings and quit.

    If an error message indicates that the target GPO has not been selected:

    1. Click OK to close the message window.
    2. Open the GPO tab and select the desired GPO.

  1. Click Save on the GPO toolbar to save the new settings.

  1. Users can click the Elevate! button to launch privileged applications without interruptions. The button is available on the context menu of Windows Explorer objects that require elevated privileges to start-up, including: .bat, .cmd, .exe, .js, .lnk, .msc, .msi, .msp, .pl, .ps1 or .vbs (.lnk is for shortcuts).

  1. Run an Instant Elevation Report to view the processes that have been launched. For more information, see Instant Elevation Report.

Configuring self-service elevation

Using the Self-Service Elevation Request Settings Wizard

Selecting how users access the request form

Customizing self-service request email messages

Using self-service notifications

Using the Self-Service Elevation Request Processing Wizard

Using the Console Email Configuration screen

Available only in Privilege Manager Professional and Professional Evaluation editions.

To enable users to request permissions to use privileged applications, use the Self-Service Elevation Request Settings Wizard. Whenever a user attempts to run an application which requires administrative permissions for which they do not have rights, they will be asked if they would like to send a request to their administrator for permission to run it.

You can select how users access the request form and set up self-service notifications to email you, the help desk, and your manager of each request. Then, you can process the request within the Self-Service Elevation Requests section of the console and email your decision to the user, using the Console Email Configuration screen.

Using the Self-Service Elevation Request Settings Wizard

Before you configure self-service elevation request settings, ensure the following components are set up:

  1. The client is running on the computers you want to apply the settings to;
  2. The server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003); and
  3. Client data collection settings are enabled for the selected GPO.

To use the Self-Service Elevation Request Settings Wizard to set up, modify, or discard privileges:

  1. Open the wizard:
    1. Open the Self-Service Elevation Request Settings Wizard from the Setup Tasks section. It will always show the default settings, or
    2. Double-click Self-Service Elevation Request Settings on the Advanced Policy Settings tab of the target GPO. The changes made within the wizard will be saved here.

  1. Enable the Self-Service Elevation Requests Settings on the State tab.
  1. Choose Enabled, otherwise the settings won't apply to the selected GPO.
  2. Choose Not Configured to enable child GPOs to inherit settings from their parent.
  1. Use the Settings tab for Selecting how users access the request form.

  2. Click Next to use validation logic to target the settings to specific client computers or user accounts within the GPO, or click Finish to save your settings and quit.

    If an error message indicates that the target GPO has not been selected:

    1. Click OK to close the message window.
    2. Open the GPO tab and select the desired GPO.

  3. Click Next to use the Filters tab to filter out Self-Service Request data according to different application specific criteria.

    On the Filters tab, select the checkbox to enable application filters.

    Enter filter criteria in at least one of the available boxes ( Executable path contains, Product name contains, Publisher name contains, and File description contains).

    An application only needs to meet a single filter criteria in order for its Self-Service Request data to be filtered out. A comma delimiter can be used to enter multiple criteria in each filter box.

    NOTE: The Privilege Manager client will not transmit any Self-Service Request data for any application that meets at least one of the existing filter criteria.

  4. Click Save on the GPO toolbar to save the new settings.

Selecting how users access the request form

Use the Settings tab of the Self-Service Elevation Request Settings Wizard to select how end users access the request form and set up email confirmation and notification settings. You can combine the following options:

OPTION ACTION

Automatically ask users if they would like to request that a privilege elevation rule be created whenever they attempt to launch applications which require privilege elevation to run.

This option is enabled by default.

Once a user closes the User Account Control (UAC) window, a Self-Service Elevation Request Prompt will display.

Note: Not all applications which display UAC windows will automatically pop up a Self-Service Elevation Request Form. You can allow the user to manually submit self-service requests by enabling the "Add a Windows explorer shell" option described below. Windows Installer files (.msi) will not automatically trigger Self-Service Prompts, so the Self-Service Elevation Request Form will need to be manually triggered by users.

Allow users to hide or disable these prompts.

This option is enabled by default.

  • Users can select whether the request form will display in the future by checking the In the future, don't show me this when I try to run applications that need approval checkbox.
  • A user on a client computer can re-enable/disable the prompt using the Display Self-Service Prompts icon on the context menu of the system tray.

Note: This setting does not affect the Self-Service Elevation Request Form launched with the Elevate! button. It only affects the request forms displayed automatically.

Add a Windows explorer shell extension allowing the user to right-click on a program or shortcut in order to request that a privilege elevation rule be created for that program.

This option is enabled by default.

  • Users can click the Elevate! button to launch privileged applications without interruptions. The button is available on the context menu of Windows Explorer objects that require elevated privileges to start-up, including: .bat, .cmd, .exe, .js, .lnk, .msc, .msi, .msp, .pl, .ps1 or .vbs (.lnk is for shortcuts).

  • Users can click the Elevate! button to launch the Self-Service Elevation Request Form or instant elevation, if it is enabled.

Allow user to specify the email address where a confirmation email should be sent once the administrator has processed the request for the privilege elevation rule.

(If this option is not checked, the email will be sent to the user's Exchange account as found in Active Directory.)

This option is disabled by default.

The user can enter an email address into the corresponding text field.

By default, the field is pre-populated with the email address of the user who is logged in (provided that it is specified in Active Directory).

Send an email notification to the administrator whenever a user submits a Self-Service Elevation Request.

This option is disabled by default.

Enter the Email Address for the administrator and/or the help desk or other recipients. Use the + button to add entries and the x button to remove them.

By default, the Email Subject is pre-populated with Privilege Manager Self-Service Elevation Request as the subject line. You can enter your own subject and press the Reset button to reset it to the default.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating