Refer to the Privilege Manager for Windows Administrator Guide for information on editions and applying a license.
Each Privilege Manager license file is compatible with only a single major version of the product (ex.3.x or 4.x). This means existing 3.x licenses are not valid after upgrading to a 4.x build.Therefore, existing customers are required to obtain a new license file using the License Assistance portal (https://support.quest.com/contact-us/licensing) in order to be properly registered after upgrade.
NOTE: Privilege Manager does not phone home for product licensing.
Configuring access to ports, websites, and processes
Your firewall must allow the Privilege Manager Console to access the following domains on ports 80 (non-SSL) and 443 (SSL). In addition to those ports, the Privilege Manager uses a configurable port for the data collection service (8003 by default), to recieve information from managed target devices.
||Privilege Manager web server|
||Quest Support Portal|
The following features and processes must be allowed through the firewall on target devices:
Installing the console
Installing the Cconsole
The Console must be installed on a computer that is joined to the domain and run under a user account that has the rights to change at least one GPO. The Console displays GPOs based on the security context of the user that is logged on.
To complete the Console installation, follow the Windows Installer through a series of dialog boxes:
Run the Privilege Manager setup file, PAConsole_Pro.msi.
The installer checks to see if your system is missing any of the required components.
Review the system requirements for Privilege Manager. A window appears, allowing you to install any of the missing components.
Complete one of the following steps:
- Click Yes to download and install a single missing component. A new notification window will display to install others, if necessary.
- Click Yes to all to download and install all the missing components with a single click.
- Click No to manually download the missing components. A dialog will follow, displaying the download links for the missing components. Install the components and then resume the installation.
- Click the link and download the component.
- Close the Console setup notification window with the download link to .Net 4.0 Framework.
- Install the component.
- The initial dialog box is the installation Welcome. Click Next.
- The License Agreement dialog box displays. Select I accept the terms in the License Agreement and click Next. Refer to the Privilege Manager Administrator Guide for more information on applying a license.
- On the Destination Directory dialog box, select a destination folder. The installation path depends on the system architecture and defaults to: %PROGRAMFILES%\Quest or %ProgramFiles(x86)%\Quest. Click the Browse button to select a different installation path; however, accepting the default values is recommended. Click Next.
- Click Install on the final installation dialog. Once the installation is complete, click Finish.
Configuring the server
Available only in Privilege Manager Professional and Professional Evaluation editions.
After installing the Console, a Server must be configured. Configuring the Server sets up the back-end services needed to automatically deploy the Client, as well as enable reporting, discovery and remediation.
To use the Privilege Manager for Windows Server Configuration Wizard to set up the Server:
Start the Privilege Manager for Windows Server Configuration Wizard.
- Open the Console.
- Under the Getting Started section of the left navigation menu, click Setup Tasks.
- Select the Configure a server icon in the Basic Setup right pane.
The Privilege Manager for Windows Server Configuration screen appears.
- Click the Browse button to locate a Server through Active Directory.
- Use the Test button to verify the selected Server's connection to the ScriptLogic PA Reporting Service. If the test fails, check to see if there are network or firewall problems.
- Click the Clear the server name link if you want to configure another Server. The displayed service remains installed.
- Click Setup/configure the Privilege Manager Server on this computer to install a new Server or configure one on the local computer.
- In the Privilege Manager for Windows Server Setup Wizard that appears, set the port for the web service.
- Click Reset to set the Port Number to its default. The ScriptLogic PA Reporting data collection web service listens for incoming data from the clients on port 8003, by default. The firewall must be configured to allow communication over any port you select.
- Select the Add an application exception to the firewall for this service option to automatically add UDP and TCP rules (named ScriptLogic PA Reporting Svc) to the Windows Firewall exceptions list to allow inbound traffic for the service on the local computer.
- Under the optional Server Email Notification Configuration section, select the Server to use for email notifications of Self-Service requests and scheduled reports.
Configure the following fields:
- Host Name: Enter the SMTP Server name of the email account from which you are going to send your emails.
- SMTP Port: Enter the port number.
- SMTP User Name and Password: If necessary, enter the authentication information and check the SSL check box.
- From Email: Enter the corresponding email.
Note: You must enter the SMTP Password each time you configure the Server or an error is received.
Click Send Test Email to send an email to the account specified in the From Email field.
- If Privilege Manager succeeds in sending the email, the corresponding message appears.
- Log into an email program with the corresponding account and locate the sent email folder, with Privilege Manager Test Email in the subject.
- Click Next.Select an SQL Server instance to use for the PA Reporting database.
Select Download and install a local instance of Microsoft SQL Server 2008 R2 Express to have the Server Wizard install it. Then click Next.
Note: By default, the SQL Server installed via the Console uses Windows authentication.
Select Use an existing SQL Server instance to instruct Privilege Manager to connect to an existing local or remote SQL instance (Microsoft SQL Server 2008 or Microsoft SQL Server 2014 is required) and then click Next.
If you are using a remote SQL database, follow these steps:
- Enable TCP/IP protocol for the selected SQL Server instance;
Enable the Console host to address the remote SQL Server; and
- Allow the firewall to communicate between the SQL database and the Console host on the port that the remote SQL Server is configured to listen on.
Note: If a domain controller hosts the Console, Microsoft does not recommend running a database on a domain controller computer. In this case, either connect to a remote SQL database instance or use another computer to install the Console and download the SQL Server 2008 R2 Express software via the Privilege Manager for Windows Server Configuration wizard.
- Set up a Super User group, credentials for the Data Collection Web Service Account, and the database service account.
- Verify the default user group and user accounts will be granted administrative privileges in the Privilege Manager for Windows Reporting database. This group is configured as the Super User group. If a different group is required, click the Browse button to locate it using Active Directory.
- In the Data Collection Web Service Account section, enter the password of the account that is used to run the data collection service. This account requires local administrator rights.
- Use the SQL Server Express Service Account section to enter a new account for the SQL Server service, if you selected the option to download and install a local instance of Microsoft SQL Server 2008 R2 Express.
Note: If you plan to use the configured server domain-wide, i.e., from other consoles run either by domain or organizational unit level admins, then ensure the provided Database Super User Group includes all the user accounts that may address the PAReporting database. Otherwise, a user that has no rights to the database will encounter an error.
- Click Next to install a list of SQL Server Management Objects (SMOs) if the local computer is missing them. These prerequisites are required in order to connect to SQL Server instances on the network.
- Select the existing SQL Server instance running remotely or locally, if you selected the option to use an existing SQL Server instance.
In the SQL Server Instance Name field, specify the name in the following format:
- Use the button to view the server instances available on your network.
- When using Windows authentication, ensure that the Windows account you are currently logged into the Console:
- Is assigned to the system administrator server role on the specified SQL Server instance;
- Is a member of the db_owner role for the master database; and
- Is a member of the db_owner role for the PAReporting database, when you are upgrading a database previously created with the Privilege Manager for Windows Server Configuration Wizard.
If you are targeting a remote SQL database, it must use Windows authentication for runtime access to data (although SQL authentication can be used for the database setup).
- Click Next to install the prerequisites and launch the services.
- During installation, a command prompt window may appear for a short period of time.
- Click OK and then Finish to exit the Privilege Manager Server Setup wizard.
To ensure proper functioning of the Server, allow the following programs through the Windows firewall:
- On the client computer: CSEHost.exe.
- On the Server host: PrivilegeAuthority.exe, which is configured by default during Server configuration, provided that the firewall is turned on.