Safeguard Privilege Manager for Windows 4.3 - Administrator Guide

Installing Privilege Manager

To complete the Privilege Manager installation, you will need to install the console, configure the server, and install the client. Then you can start using Privilege Manager based on your Windows rights within the Group Policy Management Console. If you do not have enough rights on an object, a message will tell you that access is denied.

System requirements

Please refer to the Privilege Manager for Windows Quick Start Guide for the list of System Requirements.

Installing the console

The console must be installed on a computer that is joined to the domain and run under a user account that has the rights to change at least one GPO. The console displays GPOs based on the security context of the user that is logged on.

Using the console Windows Installer file

Please refer to the Privilege Manager for Windows Quick Start Guide for instructions on using the console Windows Installer file.

Opening the console

To start the Privilege Manager console on the host:

1. Go to Start > All Programs > Quest > Privilege Manager > Privilege Manager, or

2. Select the Privilege Manager shortcut icon on the Start menu.

Applying a license

You can apply a license upon initial start-up or later. Otherwise, if your trial has expired, you’ll only be able to access the Community edition.

To apply a license when you start the console for the first time:

1. A window will display asking you to apply a license.
2. Click Yes if you are going to apply a Privilege Manager Professional or Professional Evaluation license. Browse to the license file and click Open.

   Or,

3. Click No to access the Privilege Manager Community Edition that does not require a license.

To apply a license in the console after initial start-up:

1. Click Help > About in the menu.

2. Click the Licenses tab.
3. Click the Apply License File button.
4. Highlight the product name and click the Update License button.
5. Browse to the license file and click Open and then OK.
6. If you are upgrading, you may need to follow the additional steps detailed in the Upgrading section.

Viewing GPOs

To view the GPOs that you have access to:

1. Switch from the Setup Tasks > Getting Started window to the Group Policy Settings > All GPOs window.

2. You will see the GPOs you have access to:

Selecting target domains

The Privilege Manager console is initially configured to allow you to manage the privilege elevation settings for the domain to which the local computer belongs. In addition, the console also allows you to manage other domains in your forest.

For Windows Privilege Manager to work across multiple domains within a single forest, the appropriate domain permissions must be configured and an Enterprise Admin Active Directory account must be used with the Privilege Manager console.

To customize the number of your forest’s domains available in the Group Policy Settings pane:

1. In the Getting Started section of the navigation pane, select Setup Tasks and then click Select Target Domains in the right pane.

2. In the window that will open, check/uncheck the domain names as desired.

3. (Optional) Click the Select DC button to open the Select Domain Controller dialog. Specify the exact domain controller that the console will communicate with.

   The list of the domains and GPOs will change accordingly.

   Note: You can create the GPO rules only on a domain where you have write permissions for the GPOs.

Configuring the server

Available only in Privilege Manager Professional and Professional Evaluation editions.

After installing the console, a server must be configured. Configuring the server will set up the back-end services needed to automatically deploy the client, as well as enable reporting, discovery and remediation.

Using the Server Configuration Wizard

Please refer to the Privilege Manager for Windows Quick Start Guide for instructions on using the Server Configuration Wizard.

Modifying the server

You must configure the settings for the server on the console where it was installed. However, any administrator with the rights to a specific GPO can update its data collection settings. Also, the administrator running the console can view reports of data collected by any server by selecting Browse and the preferred server from the Privilege Manager Server Configuration screen (under Setup Tasks > Configure a Server).

If you need to change the reporting database settings, i.e., connect to another instance, modify the authentication parameters, or set up a new data collection service:

1. Use the Privilege Manager Server Configuration screen to remove the server.
2. Restart the wizard to reinstall the service and set the SQL database settings.

Removing the server

If you do not want to use a server, you can clear its settings and/or remove it from a host computer:

1. Open the Privilege Manager Server Configuration screen (under Setup Tasks > Configure a Server).
2. Select Clear the server name to clear the settings which the console uses to connect to reporting information. The locally running server will not be stopped or disabled. This will not uninstall the server.

3. Click Remove the Privilege Manager Server from this computer to uninstall the server from the local computer. When you remove the server:
   1. You will stop the web data collection service;
   2. The shared folder with the client file will not be shared anymore; and
   3. The database will not receive data sent by the corresponding clients until a new server is installed, provided that it is installed within the network timeout parameters.

To remove a server running remotely:

1. Connect to the computer that hosts the server.
2. Remove the server via the Privilege Manager Server Configuration screen.