Use the Groups tab to add or remove an Active Directory user group from the security token of the target process. Removing a group decreases the privileges with which the process will run.
To add or remove an Active Directory user group using the Groups tab in the Create Rule Wizard:
- You can only add security groups in Active Directory which have a group scope property of Built-in local to the security token of a process on a client computer if the Client also has the same security identifier definition (SID) in its built-in security groups.
When removing a group from the security token, ensure that the user account under which the process is launched is a member of more than one primary group. Otherwise, the rule will not apply as intended.
Available only in Privilege Manager Professional and Professional Evaluation editions.
By default, a rule will apply to all client computers to which the previously selected GPO is linked. For more granular targeting, you can use the Standard Rules and Validation Logic Rules sub-tabs of the Validation Logic tab in the Create Rule Wizard to target the rule based on the client’s operating system, their IP address, and/or a logged-in user.
Within the Standard Rules sub-tab in the Create Rule Wizard, you can set a rule to apply only to clients with specified operating systems, servers, or workstations. By default, all operating systems are selected. If no options are selected, then the rule will apply to all supported operating systems.
To use the Standard Rules sub-tab in the Create Rule Wizard:
The Validation Logic Rules sub-tab in the Create Rule Wizard allows you to set additional parameters to target the rule. You can define whether the rule will run on computers with a prefix in the name, a group or IP address range, or a user currently logged in. For example, you can target the rule to computers belonging to OUs that end with DEPARTMENT and are in subnet 192.168.0.X, except for the IP address 192.168.0.1.
| 
 | Note: Client Deployment Settings can only be targeted to specific computers and not to user accounts or groups. | 
To set rule parameters using the Validation Logic Rules sub-tab in the Create Rule Wizard:
| Type of Rule | Action | ||
|---|---|---|---|
| Computer Group | Set a rule for one or several names, or partial names, of your Active Directory computer groups. Enter the NetBIOS name, for example: DERPA\DOMAIN CONTROLLERS | ||
| 
 
 User Group | Set a rule for one or several names, or partial names, of your Active Directory user groups. The group membership value you enter will be compared against the groups that the user belongs to during the logon process and must match for the configuration to be processed. Enter the NetBIOS name, for example: DERPA\ADMINISTRATORS | ||
| User Name | Set a rule if specific users are logged into client computers. Enter the NetBIOS name, for example: DERPA\HELPDESK | ||
| OU (Computer) | Set a rule for names, or partial names, of computer-based OUs or the Computers container in your Active Directory. The OU value you enter will be compared against the OU the client computer belongs to during the logon process and must match for the configuration to be processed. Enter the fully qualified domain name (FQDN), for example: DERPA.DERPADEV.LOCAL\DOMAIN CONTROLLERS 
 | ||
| OU (User) | Set a rule for names, or partial names, of the user-based OUs or the Users container in your Active Directory. The OU value you enter will be compared against the OU the user belongs to during the logon process and must match for the configuration to be processed. Enter the FQDN, for example: DERPA.DERPADEV.LOCAL\USER ACCOUNTS 
 | ||
| Computer Name | Set a rule for computers with names or partial names. Enter the FQDN, for example: DERPA.DERPADEV.LOCAL\PASERVER | ||
| IP Address Range (v4/v6) | Set a rule for IP addresses or ranges of computers. | ||
| Registry Key Exists | Set a rule based on the registry keys on client computers. | ||
| 
 
 File Exists | Set a rule for files on the client computer or on the network. Specify a file that must exist on the client computer or on the network in order for the rule to run, for example: \\ComputerName\SharedFolder\Filename.exe DriveLetter:\Filename.exe 
 | ||
| Date and Time Range | Define when a rule should start and/or stop being enforced. 
 | 
When finished specifying Validation Logic rules, click Next. If the Display Advanced Options check box has not been selected, complete the rule creation process.
On the Privileges tab in the Create Rule Wizard you can grant or deny privileges for a process, based on the standard Windows policies in the User Rights Assignment list (Local Security Settings\Local Policies).
To apply/deny privileges for processes (including child processes) using the Privileges tab in the Create Rule Wizard:
You can differentiate the security levels with which a process will run using the Integrity tab in the Create Rule Wizard. The integrity level is a feature of Windows operating systems beginning with Windows 7.
This parameter can be applied to clients running Windows Server 2008, Windows 7 and Windows Server 2008 R2 and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2, and Windows 10.
By default, this setting will not apply and is set to the High integrity level.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 쿠키 기본 설정 센터