Chat now with support
Chat mit Support

Safeguard Privilege Manager for Windows 4.5 - Administration Guide

About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program

Import/Export Rules

Once rules are created for a GPO they can be exported in order to share the rules, copy the rules to another GPO or even for backup purposes.

To export rules

  1. Select a GPO in the domain tree.

  2. Right-click on the GPO name and select Export Rules.

  3. Enter the path and file name of the export file to be created. Click ... to select a path using File Explorer.

  4. In the pop-up window that displays a count of the Privilege Elevation Rules and Blacklist Rules for the GPO, complete the following steps, as applicable:

    • Select Export all Privilege Elevation Rules to include those rules in the export.

    • Select Export all Blacklist Rules to include those rules in the export.

  5. Click Export to begin the export process.

To import rules

  1. Select a GPO in the domain tree.

  2. Right-click on the GPO name and select Import Rules.

  3. Enter the path and file name of the file to be imported. Click ... to select a path using File Explorer.

  4. In the pop-up window that displays a count of the Privilege Elevation Rules and Blacklist Rules for the GPO, complete the following steps, as applicable:

    • Select Import all Privilege Elevation Rules to include those rules in the import.

    • Select Import all Blacklist Rules to include those rules in the import.

  5. Click Import to begin the import process.

Testing rules

You can test a rule to ensure that the settings you specified map to a process on a local or remote computer. You can test all types of rules, except ActiveX.

Before you test a rule, ensure the following components are set up

  1. The Client is running on the computer on which you intend to test the rule.

  2. The remote computer is switched on and is accessible from the network.

  3. The correct credentials to connect to the remote computer are provided.

  4. The following exceptions are added for remote computers with a firewall turned on:

    • Windows Management Instrumentation (WMI): dllhost.exe

    • Host process for Windows services: svchost.exe for 32-bit OS and %SystemRoot%\SysWOW64\svchost.exe for 64-bit OS.

To test a rule

  1. Within the Group Policy Settings section, select a rule, and click the Test button.

  2. Select whether to test the rule on a local or remote computer.

    A test window appears and the test starts. The window displays the initial conditions necessary for the rule to run and present its status in the Test Progress section, testing if:

    • The connection with the target computer has been established;

    • The Client is installed on your computer;

    • The Group Policy update has run successfully on the client computer;

    • The GPO with the selected rule is present on the domain; and

    • The rule exists on the client side and on the domain.

  3. If the test fails any of the steps, resolve the issue. If you encounter a "Failed to retrieve processes. Please refer to documentation for more info" error, complete the steps above before you test the rule.

  4. Click Next.

  5. When the Detecting Process window opens, manually run the process the rule applies to. Use the parameters specified in the Rule Details section of the Test File Rule window. The window shows two tabs:

    • The Started Processes tab with the processes started after you switched from the Detecting Process window.

      • The process that you start to test the will display with either a tick or a cross sign.

      • If the process is marked with the cross sign, look at Process Details and check that you started the process with the right parameters, or modify the rule settings.

    • The All Processes tab with all currently running processes.

  6. When the rule is created and distributed to clients through Group Policy, the rule is applied to the corresponding process.

Removing local admin rights

Topics:

The last step in preparing your environment for least privileged use is to remove administrative access from users who no longer require it.

Using the Active Directory Users and Computers utility

To scrub the Domain Administrators group of users that should no longer have administrative rights to every computer in the domain, use the native Active Directory Users and Computers utility of the supported Windows Server operating systems.

To remove users from the Domain Administrators group,

  1. Select Domain Admins Properties > Members tab > Remove.

  2. Click Discover Accounts in local Administrator groups to discover users and domain groups with local administrator rights.

    NOTE: By default, the search results will only include domain users and domain groups. However, you can optionally opt to include local and built-in (for informational purposes only) users.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen