立即与支持人员聊天
与支持团队交流

Safeguard Privilege Manager for Windows 4.4 - Administrator Guide

About this guide What is Privilege Manager? Installing Privilege Manager Configuring client data collection Configuring instant elevation Configuring self-service elevation Configuring temporary session elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI Customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program

Configuring instant elevation

Available only in Privilege Manager Professional and Professional Evaluation editions.

To grant on-demand administrative privileges to a group of trusted users and audit their actions, use the Instant Elevation Wizard.

Note: In some cases, Instant Elevation and Blacklisting rules could be configured for the same target application. In this case, Blacklisting takes precedence over Instant Elevation and prevents the application from starting. For more information about creating Blacklisting rules, see Using the Create Rule Wizard.

Using the Instant Elevation Wizard

Before you configure Instant Elevation settings, ensure the following components are set up:

  1. The Client is running on the computers you want to apply the settings to;
  2. The Server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003); and
  3. Client data collection settings are enabled for the selected GPO.

To use the Instant Elevation Wizard to set up, modify, or discard privileges:

  1. Open the wizard by completing one of the following steps:
    • Open the Instant Elevation Wizard from the Setup Tasks section. It will always show the default settings.
    • Double-click Instant Elevation Settings on the Advanced Policy Settings tab of the target GPO. The changes made within the wizard are saved here.
  1. Enable the Instant Elevation Settings on the State tab.
  • Choose Enabled, to ensure the settings apply to the selected GPO.
  • Choose Not Configured, to enable child GPOs to inherit settings from their parent.
  1. Use the Groups tab to alter the settings. By default, users of the target GPO automatically inherit the administrator's settings (BUILTIN\Administrators).
  2. Complete the advanced options in the Privileges and Integrity tabs.

  1. Click Next to use Validation Logic to target the settings to specific client computers or user accounts within the GPO, or click Finish to save your settings and quit.

    If an error message indicates that the target GPO is not selected:

    1. Click OK to close the message window.
    2. Open the GPO tab and select the desired GPO.

  1. Click Save on the GPO toolbar to save the new settings.

  1. Users can click the Elevate! button to launch privileged applications without interruptions. The button is available on the context menu of Windows Explorer objects that require elevated privileges to start up, including: .bat, .cmd, .exe, .js, .lnk, .msc, .msi, .msp, .pl, .ps1 or .vbs (.lnk is for shortcuts).

  1. Run an Instant Elevation Report to view the processes that are launched. For more information, see Instant Elevation Report.

Configuring self-service elevation

Available only in Privilege Manager Professional and Professional Evaluation editions.

To enable users to request permissions to use privileged applications, use the Self-Service Elevation Request Settings Wizard. Whenever a user attempts to run an application which requires administrative permissions for which they do not have rights, they are asked if they would like to send a request to their administrator for permission to run it.

You can select how users access the request form and set up Self-Service notifications to email you, the help desk, and your manager of each request. Then, you can process the request within the Self-Service Elevation Requests section of the Console and email your decision to the user, using the Console Email Configuration screen.

Note: In some cases, Self-Service Elevation and Blacklist rules could be configured for the same target application. In this case, Blacklisting takes precedence over Instant Elevation and prevents the application from starting. For more information about creating Blacklisting rules, see Using the Create Rule Wizard.

Using the Self-Service Elevation Request Settings Wizard

Before you configure Self-Service Elevation request settings, ensure the following components are set up:

  1. The Client is running on the computers you want to apply the settings to;
  2. The Server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003); and
  3. Client data collection settings are enabled for the selected GPO.

To use the Self-Service Elevation Request Settings Wizard to set up, modify, or discard privileges:

  1. Open the wizard by completing one of the following steps:
    • Open the Self-Service Elevation Request Settings Wizard from the Setup Tasks section. This section always show the default settings.
    • On the Advanced Policy Settings tab of the target GPO, double-click Self-Service Elevation Request Settings . The changes made within the wizard are saved here.
  1. Enable the Self-Service Elevation Request Settings on the State tab.
  • Choose Enabled, to ensure the settings apply to the selected GPO.
  • Choose Not Configured, to enable child GPOs to inherit settings from their parent.
  1. Use the Settings tab for Selecting how users access the request form.

  2. Click Next to use Validation Logic to target the settings to specific client computers or user accounts within the GPO, or click Finish to save your settings and quit.

    If an error message indicates that the target GPO is not selected:

    1. Click OK to close the message window.
    2. Open the GPO tab and select the desired GPO.

  3. Click Next to use the Filters tab to filter out Self-Service Request data according to different application specific criteria.

    On the Filters tab, select the check box to enable application filters.

    Enter filter criteria in one or more of the available boxes (Executable path contains, Product name contains, Publisher name contains, and File description contains).

    NOTE: The Publisher name contains field looks at the Publisher or Company Name attribute.

    An application only needs to meet a single filter criteria in order for its Self-Service Request data to be filtered out. A comma delimiter can be used to enter multiple criteria in each filter box.

    NOTE: The Privilege Manager Client does not transmit any Self-Service Request data for any application that meets at least one of the existing filter criteria.

  4. Click Save on the GPO toolbar to save the new settings.

Selecting how users access the request form

Use the Settings tab of the Self-Service Elevation Request Settings Wizard to select how end users access the request form and set up email confirmation and notification settings. You can combine the following options:

OPTION ACTION

Automatically ask users if they would like to request that a privilege elevation rule be created whenever they attempt to launch applications which require privilege elevation to run

This option is enabled by default.

Once a user closes the User Account Control (UAC) window, a Self-Service Elevation Request Prompt will display.

Note: Not all applications which display UAC windows will automatically pop up a Self-Service Elevation Request Form. You can allow the user to manually submit Self-Service requests by enabling the Add a Windows explorer shell option described below. Windows Installer files (.msi)do not automatically trigger Self-Service Prompts, so the Self-Service Elevation Request Form must be manually triggered by users.

Allow users to hide or disable these prompts

This option is enabled by default.

  • Users can select whether the request form displays in the future by checking the In the future, don't show me this when I try to run applications that need approval check box.
  • A user on a client computer can re-enable/disable the prompt using the Display Self-Service Prompts icon on the context menu of the system tray.

Note: This setting does not affect the Self-Service Elevation Request Form launched with the Elevate! button. It only affects the request forms displayed automatically.

Add a Windows explorer shell extension allowing the user to right-click on a program or shortcut in order to request that a privilege elevation rule be created for that program

This option is enabled by default.

  • Users can click the Elevate! button to launch privileged applications without interruptions. The button is available on the context menu of Windows Explorer objects that require elevated privileges to start up, including: .bat, .cmd, .exe, .js, .lnk, .msc, .msi, .msp, .pl, .ps1 or .vbs (.lnk is for shortcuts).

  • Users can click the Elevate! button to launch the Self-Service Elevation Request Form or Instant Elevation, if it is enabled.

Allow user to specify the email address where a confirmation email should be sent once the administrator has processed the request for the privilege elevation rule.

(If this option is not checked, the email will be sent to the user's Exchange account as found in Active Directory.)

This option is disabled by default.

The user can enter an email address into the corresponding text field.

By default, the field is pre-populated with the email address of the user who is logged in (provided that it is specified in Active Directory).

Send an email notification to the administrator whenever a user submits a Self-Service Elevation Request

This option is disabled by default.

Enter the Email Address for the administrator and/or the help desk or other recipients. Use the + button to add entries and the x button to remove them.

By default, the Email Subject is pre-populated with Privilege Manager Self-Service Elevation Request as the subject line. You can enter your own subject and press the Reset button to reset it to the default.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级