Chat now with support
Chat with Support

Safeguard Privilege Manager for Windows 4.5 - Administration Guide

About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program

Processing discovered privileged applications


Once a privileged process starts (or failed to start) on a client computer, the corresponding information is sent to the Server and displayed in the Privileged Application Discovery section of the Console (provided that your environment is properly configured according to the Maximum Sleep Time setting).

You can only view data stored in the database of the server that is selected in the Server configuration (under Setup Tasks > Configure a Server).

When processing a discovered privileged application, you can either create a rule for it so that a user without elevated privileges can launch it, or choose to mark it as processed so that it will not display in the list (unless the filter is specifically set to display it).

Use the Generate Rules wizard to automatically create a number of rules for different types of applications in one pass. Rules are created based on the preferences with which the application was started. You can select an application and view its preferences in the Privileged Applications Discovered grid.

Using the Generate Rules Wizard

To view discovered privileged applications and generate rules for them

  1. Open the Privileged Application Discovery section from the navigation pane of the Console. The applications are displayed in the window on the right.

  2. Click Display applications to list the privileged applications and other processes that are started (or failed to start), based on the default filter settings shown in the Applied Filters section on the top of the screen.

  3. Select an application in the Privileged Applications Discovery grid below. Use the grid's column headers to sort the applications.

    By default, the following information appears:

    • Any type of privileged applications

    • Privileged applications that were discovered during the last 30 days

    • Privileged applications that have no generated rule in the current section, or are marked as ignored

  4. Use the Applied Filters wizard to modify the list. You can create multiple shared filter sets and save settings that other administrators can use. For more information, see Using the Applied Filters Wizard.

  5. Select a record and then click Generate rules to open the Generate Rules Wizard.

  6. On the first tab of the wizard, specify your rule type preferences. Click Next.

  7. Add Validation Logic preferences into the rule, if necessary. The selected preferences will be used to create the corresponding Validation Logic type. Click Next.

  8. Review your rules and click Next, or

    1. Click the Review rules that will be created button to open a window with more information.

    2. Click Details for more information, or click Close.

  9. Select a target GPO for the rule and specify the GPO policy type. By default, the Administrators group (stored in the BUILTIN\Administrators Active Directory OU) is added to the rule. Click Create to save the rule.

  10. Once a discovered privileged application is processed and a rule is created for it, or it has been marked as ignored, the application is considered processed.

  11. To view ignored applications or applications for which the rules are created, change the Process Date of Item filter on the Applied Filters Wizard from None: Item has not been processed to the corresponding Date Range.

  12. The rule created from the application is added to the selected GPO with a default name.

  13. Select Export to export the list of applications presented on the grid. The list is saved as an .xls file.

After the rule has been created

  • The rule is added to the target GPO of the Group Policy Settings section.

  • The rule applies after the GPO settings are updated on the client computer.

Deploying rules


Safeguard Privilege Manager for Windows can create Privilege Elevation Rules and Blacklisting Rules. Privilege Elevation rules are rules that raise the permissions level of the user for an application. Blacklisting rules deny a user access to an application, regardless of what their default domain user permissions allows.

Creating rules

You can create five types of rules with Safeguard Privilege Manager for Windows:

  • Available in all editions of Safeguard Privilege Manager for Windows:

    By Path to the Executable: a file rule that applies to the path to an executable. For more information, see Creating file rules.

    By Folder Path: a folder path rule that applies to all processes run from a path. For more information, see Creating folder path rules.

    Ÿ By ActiveX Rule: an ActiveX rule that applies to a specific URL. For more information, see Creating ActiveX rules.

  • Available only in Safeguard Privilege Manager for Windows Professional and Safeguard Privilege Manager for Windows Professional Evaluation editions:

    By Path to Windows Installer: a rule that applies to the path to Windows Installer files and patches. For more information, see Creating rules for Windows Installer files.

    By Path to Script File: a rule that applies to the path to a script file. For more information, see Creating rules for script files.

You can create a rule in one of the following ways:
  • Create a default rule using the Create GPO with Default Rules Wizard.

  • Create a new rule using the Group Policy Management Editor or the Create Rule Wizard.

Once you create a rule, you can:
  • Test the rule. For more information, see Testing rules.

  • Edit or delete the rule. For more information, see Managing rules.

  • Build a report to view the rule's settings, save them into a file, and get statistics on the rule’s usage. For more information, see Reporting.

Using the Create GPO with Default Rules Wizard (Privilege Elevation Rules only)

Safeguard Privilege Manager for Windows contains a range of useful default rules that you can add to a new or existing GPO. To create the default rules provided by the product, use the Create GPO with Default Rules Wizard. To access the wizard from the Getting Started screen, navigate to the Setup Tasks tab and then double- click Create GPO with default rules.

NOTE: Rules created with this process are Privilege Elevation rules only. You cannot create deny list rules here.

To use the Create GPO with Default Rules Wizard

  1. Double-click Create GPO with default rules to open the wizard.

  2. Review the text in the Introduction dialog and click Next.

  3. In the Select privilege elevation rules dialog, select your operating system from the drop-down menu and select the corresponding rules from a list of common ones. Click Next.

  4. In the Select target GPO dialog, select or create a GPO to assign the rule to complete one of the following steps:

    • Select a GPO from the list under the domain that your local computer is a part of.

    • Select a domain, click Create GPO, name it, and click OK. The newly created GPO is added to the All GPOs list in the Group Policy Objects container.

    • Link any GPO not marked with the icon to your domain or Active Directory OU.

  5. Highlight the GPO in the left pane and click the Link GPO button on the right to link the GPO to the domain or an OU.

  6. Browse for an OU or add the GPO to the domain in the dialog that appears.

  7. Click OK.

  8. Once the rule is created, its icon changes to to indicate that it contains a rule and it is listed in the GPOs with Policy Settings node.

    NOTE: You can only link a GPO to an item for which you have sufficient rights. For more information, see Select user policy or computer policy:.

    • To save and apply the rule, click Finish. If you did not specify the required data, the wizard notifies you.

  9. An error message will notify you if you have insufficient permissions to perform any of the operations listed above.

    • You must have permission to perform the same actions in the GPMC.

    • Contact your system administrator to get the proper permissions.

  10. The displays in the list of rules for the corresponding GPO under the Group Policy Settings section.

  11. The rule is applied once the Group Policy is updated on the client computer.

  12. A message notifies you that the rule’s parameters change when the trial period expires, if you create a rule with any of the Privilege Manager Professional features while using the evaluation edition. For more information, see Editions.

  13. Modify the rule, as necessary. For more information, see Managing rules.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating