Once a rule is created, you can change its settings, delete, import and export it.
To delete, modify, or share a rule:
To use the Edit Rule Wizard to configure a rule:
More information for managing rules:
Once rules are created for a GPO they can be exported in order to share the rules, copy the rules to another GPO or even for backup purposes.
To export rules:
To import rules:
You can test a rule to ensure that the settings you specified map to a process on a local or remote computer. You can test all types of rules, except ActiveX.
Before you test a rule, ensure the following components are set up:
- Windows Management Instrumentation (WMI): dllhost.exe
- Host process for Windows services: svchost.exe for 32-bit OS and %SystemRoot%\SysWOW64\svchost.exe for 64-bit OS.
To test a rule:
Select whether to test the rule on a local or remote computer.
A test window appears and the test starts. The window displays the initial conditions necessary for the rule to run and present its status in the Test Progress section, testing if:
The rule exists on the client side and on the domain.
The last step in preparing your environment for least privileged use is to remove administrative access from users who no longer require it.
Use the Windows utility Active Directory Users and Computers, installed on Windows Server operating systems such as Windows 2008, to scrub the Domain Administrators group of users that should no longer be given administrative rights to every computer in the domain. Select Domain Admins Properties > Members tab > Remove.
Available only in Privilege Manager Professional and Professional Evaluation editions.
Under the Discovery & Remediation tab on the Console, select the Users with Local Admin Rights screen to discover which domain users have been assigned to the local Administrators group on client computers and remove them.
Before you begin, check the following on each target computer:
To remove domain users from the local Administrators group on computers on your domain:
If the Windows Management Instrumentation exception is not enabled, the Class and OS columns will display the Unavailable value.
Click the Discover Accounts in local Administrator groups button to discover users and domain groups with local administrator rights. By default, the search results will only include domain users and domain groups. However, you can optionally opt to include local and built-in (for informational purposes only) users.
In the window that opens, specify whether to search for local Administrator groups, users, or both.
Check the Only display domain accounts discovered in the results list option to restrict the search to Domain accounts only. Clear the option to include local accounts from the Administrators group on client machines.
A window displays your progress as the list builds.
If an error occurs, it will display in the Errors section with a description. The Unable to open log file... notification signifies that no users in the local Administrators group have been detected.
The list of discovered users will display in the User Accounts Discovered in Local Administrators Groups section.
Click the Exclude selected entries from list link to remove users from this list.
Select users from the remaining list, for which you want to revoke their local administrator rights.
Click the Remove all selected users from local Administrators groups button.
In the window that opens, click Yes to confirm that you want to remove the users or groups.
A window displays your progress as the users are removed.
Complete the following steps:
Congratulations! You are now running in a least privileged use environment.
Temporary Session Elevation Request Report
Temporary Session Elevation Requests Report
Advanced Policy Settings Report
Using the Applied Filters Wizard
Reporting is available only within the Professional edition; once a trial license expires, data is no longer being collected and reports stop generating.
You can build five types of reports on activities from client computers:
Advanced Policy Settings Report: Lists Advanced Policy Settings, except those set to the Not Configured option.
In addition to these out of the box reports, you can create custom reports using third party tools to query the SQL-based Privilege Manager for Windows reporting database. Use this database schema to create your own custom reports or data analysis:
A PAReporting database is created when you set up the server and is configured to work with the ScriptLogic PA Reporting Service, the data collection web service running on a Console host.
Before you generate reports, ensure the following components are set up:
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center