Chat now with support
Chat mit Support

Safeguard Privilege Manager for Windows 4.5 - Administration Guide

About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program

Applying a license

You can apply a license upon initial start-up or later. Otherwise, if your trial has expired, you’ll only be able to access the Community edition.

To apply a license when you start the Console for the first time

  1. A window appears, asking you to apply a license.

    • If you are going to apply a Safeguard Privilege Manager for Windows Professional Edition or Professional Evaluation Edition license, click Yes. Then, browse to the license file and click Open.

    • Click No to access the Privilege Manager Community Edition that does not require a license.

To apply a license in the Console after initial start-up

  1. Click Help > About in the menu.

  2. Navigate to the Licenses tab.

  3. Click Apply License File.

  4. Highlight the product name and click Update License.

  5. Browse to the license file and click Open and then OK.

  6. If you are upgrading, you may need to follow the additional steps detailed in the Upgrading section.

Viewing GPOs

To view the GPOs that you have access to

  • Switch from the Setup Tasks > Getting Started window to the Group Policy Settings > All GPOs window.

NOTE: If you do not see the domain tree when the Group Policy Settings section is selected, check that the default domain is selected in the Setup Tasks > Select Target Domains window.

Selecting target domains

The Safeguard Privilege Manager for Windows is initially configured to allow you to manage the privilege Elevation settings for the domain to which the local computer belongs. In addition, the Console also allows you to manage other domains in your forest.

For Safeguard Privilege Manager for Windows to work across multiple domains within a single forest, the appropriate domain permissions must be configured and an Enterprise Admin Active Directory account must be used with the Safeguard Privilege Manager for Windows Console. The Windows user account must include the following:

  • SQL Server System Administrators role

  • db_owner access to the master database

  • db_owner access to the PAReporting database (required for upgrades)

    For complete information about the database space requirements, see Database Planning.

    NOTE: The recommendation for multiple domains in a single forest is for each domain within the forest to host a completely separate installation of Safeguard Privilege Manager for Windows.

To customize the number of your forest’s domains available in the Group Policy Settings pane

  1. In the Getting Started section of the navigation pane, select Setup Tasks and then click Select Target Domains in the right pane.

  2. In the window that appears, specify the domain names, as applicable.

  3. (Optional) Click Select DC to open the Select Domain Controller dialog. Specify the exact domain controller that the Console will communicate with.

    The list of the domains and GPOs change accordingly.

    NOTE: You can create the GPO rules only on a domain where you have write permissions for the GPOs.

Installing a second Console

To manage Safeguard Privilege Manager for Windows Group Policies (GPOs) from a Microsoft Windows 10 machine that does not host the Safeguard Privilege Manager for Windows Console or Server, install a second Safeguard Privilege Manager for Windows Console instance.

NOTE: There is no GPO locking mechanism so ensure that the same GPO is not edited at the same time from different consoles. Changes can be lost when multiple saves occur.

Requirements

To install a second Console, you must meet the following requirements:

  • Use same license as for the first Console.

  • Use same version of PM Console as the first Console.

  • Permissions: User running the remote Console must be a member of the super user group specified during the setup of the first Safeguard Privilege Manager for Windows Console or Server. User must also have permissions to edit GPOs.

To install a second Console

  1. Install the second Console on another machine.

  2. Apply the same license that is used on the first Console.

  3. Open the Console and go to Setup Tasks > Configure a server.

  4. Click Browse to choose an existing Safeguard Privilege Manager for Windows Server. In the box at the bottom, type the name of the Server.

  5. To close the dialog, click OK, and then click Test to ensure a successful connection.

  6. Click OK to finish.

  7. (Optional) If using Temporary Session Elevation passcodes:

    1. On the original Safeguard Privilege Manager for Windows Server, locate and copy this file: C:\Program Files (x86)\One Identity\Safeguard Privilege Manager for Windows\Console\pmtse.ske.

    2. On the second Console, locate the same file in same location.

    3. Rename it to pmtse.ske.old.

    4. Copy the pmtse.ske file from the original Safeguard Privilege Manager for Windows Server to the second Console.

    5. Close and re-open the second Console.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen