Welcome to the KACE Privilege Manager for Windows Quick Start Guide. Privilege Manager lets system administrators grant selected privileges to users so they can update their own PCs, reducing help desk calls while maintaining a secure network. This guide instructs system administrators on how to set up the Privilege Manager console, server, and client. This guide also provides an overview of the product’s key features and the wizards that will help you use them.
For more information, refer to these additional resources:
For system administrators:
For end users with the Privilege Manager client service installed on their computers:
IMPORTANT: The security status of the installation file can become "blocked" after download, inhibiting the ability of the product to be properly installed. Please see KB 262298 for information on detecting and resolving this issue.
The Privilege Manager console and client must be installed on a computer within the Active Directory domain.
When setting up the Privilege Manager for Windows server, Microsoft SQL Server (hosted either locally on the Privilege Manager for Windows machine or remotely) is required. Privilege Manager supports Microsoft SQL Server 2008 to Microsoft SQL Server 2017. Privilege Manager for Windows can optionally install SQL Server 2014 R2 Express.
There are three software components included with Privilege Manager: the console, server and client.
The Privilege Manager console, installed via PAConsole_Pro.msi, is a management application. It is installed on a domain computer (server/workstation) and is used to create and manage rules within the Group Policy. Any user who has permission to edit a GPO can use the console to set privileges.
The Privilege Manager server, installed via the console, is a service which has several functions. It can deploy the client, collect and report on data, and discover and process applications that require elevated privileges.
The Privilege Manager client, installed via PAClient.msi, is a service that runs on each client computer. It applies the rules created in the console by monitoring processes as they are launched on the client and elevates or lowers the privileges for processes that are configured to be monitored. This is done by injecting an administrative token into the process or revoking it.
Microsoft Active Directory and Group Policy are used to distribute Privilege Manager rules to client computers.
Privilege Manager can modify privileges only for a standard user account, not a guest account. Elevated privileges can be revoked even if the user is a local admin.
Prepare your environment for least privileged use by installing Privilege Manager for Windows, configuring reporting, discovery, and remediation settings, configuring approved privileged applications, and removing local admin rights.