立即与支持人员聊天
与支持团队交流

Safeguard Privilege Manager for Windows 4.5 - Administration Guide

TitlePageProxy Copyright Table of Contents About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program About us

Viewing GPOs

To view the GPOs that you have access to

  1. Open the Safeguard Privilege Manager for Windows Console.

  2. Switch from the Setup Tasks > Getting Started window to the Group Policy Settings > All GPOs window.

NOTE: If you do not see the domain tree when the Group Policy Settings section is selected, check that the default domain is selected in the Setup Tasks > Select Target Domains window.

Selecting target domains

The Safeguard Privilege Manager for Windows is initially configured to allow you to manage the privilege Elevation settings for the domain to which the local computer belongs. In addition, the Console also allows you to manage other domains in your forest.

For Safeguard Privilege Manager for Windows to work across multiple domains within a single forest, the appropriate domain permissions must be configured and an Enterprise Admin Active Directory account must be used with the Safeguard Privilege Manager for Windows Console. The Windows user account must include the following:

  • SQL Server System Administrators role

  • db_owner access to the master database

  • db_owner access to the PAReporting database (required for upgrades)

    For complete information about the database space requirements, see Database Planning.

    NOTE: The recommendation for multiple domains in a single forest is for each domain within the forest to host a completely separate installation of Safeguard Privilege Manager for Windows.

To customize the number of your forest’s domains available in the Group Policy Settings pane

  1. In the Getting Started section of the navigation pane, select Setup Tasks and then click Select Target Domains in the right pane.

  2. In the window that appears, specify the domain names, as applicable.

  3. (Optional) Click Select DC to open the Select Domain Controller dialog. Specify the exact domain controller that the Console will communicate with.

    The list of the domains and GPOs change accordingly.

    NOTE: You can create the GPO rules only on a domain where you have write permissions for the GPOs.

Installing a second Console

To manage Safeguard Privilege Manager for Windows Group Policies (GPOs) from a Microsoft Windows 10 machine that does not host the Safeguard Privilege Manager for Windows Console or Server, install a second Safeguard Privilege Manager for Windows Console instance.

NOTE: There is no GPO locking mechanism so ensure that the same GPO is not edited at the same time from different consoles. Changes can be lost when multiple saves occur.

Requirements

To install a second Console, you must meet the following requirements:

  • Use same license as for the first Console.

  • Use same version of PM Console as the first Console.

  • Permissions: User running the remote Console must be a member of the super user group specified during the setup of the first Safeguard Privilege Manager for Windows Console or Server. User must also have permissions to edit GPOs.

To install a second Console

  1. Install the second Console on another machine.

  2. Apply the same license that is used on the first Console.

  3. Open the Console and go to Setup Tasks > Configure a server.

  4. Click Browse to choose an existing Safeguard Privilege Manager for Windows Server. In the box at the bottom, type the name of the Server.

  5. To close the dialog, click OK, and then click Test to ensure a successful connection.

  6. Click OK to finish.

  7. (Optional) If using Temporary Session Elevation passcodes:

    1. On the original Safeguard Privilege Manager for Windows Server, locate and copy this file: C:\Program Files (x86)\One Identity\Safeguard Privilege Manager for Windows\Console\pmtse.ske.

    2. On the second Console, locate the same file in same location.

    3. Rename it to pmtse.ske.old.

    4. Copy the pmtse.ske file from the original Safeguard Privilege Manager for Windows Server to the second Console.

    5. Close and re-open the second Console.

Configuring the Server

Detailed information about this topic

Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

After installing the Console, a Server must be configured. Configuring the Server sets up the back-end services needed to automatically deploy the Client, as well as enable reporting, discovery and remediation.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级