立即与支持人员聊天
与支持团队交流

Safeguard Privilege Manager for Windows 4.7 - Administration Guide

TitlePageProxy Copyright Table of Contents About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program About us

Upgrading

Privilege Manager components are only compatible with other components of the same version. Upgrading ensures that all of the GPO rules and reporting configurations you created with earlier versions will still be available.

To upgrade prior versions

  1. Run the Privilege Manager setup file (PAConsole_Pro.msi) and follow the Privilege Manager Console Windows Installer.

    1. If the Some files that need to be updated are currently in use message appears, click OK.

    2. Once you complete the upgrade, exit the installer.

  2. Open the Console and if necessary, apply a license. For more information, see Opening the Console and Applying a license.

  3. If an error message notifies you that the ScriptLogic PA Reporting Service has the wrong manual startup type, complete one of the following steps:

    • Go to the Windows Services Console and set the ScriptLogic PA Reporting Service to start automatically.

    • To reset the service to start automatically, click OK in the message window. If the restart fails, click NO, then restart the Safeguard Privilege Manager for Windows Console.

    NOTE: The automatic Server upgrade may be unavailable if the ScriptLogic PA Reporting Service is not running.

  4. If the Console detects that the Server component is installed on a remote computer, it instruct you to launch it on the remote computer.

  5. If a message prompts you to upgrade your Server and database (installed locally with the reporting functionality of some prior Privilege Manager versions):

    1. Click OK and follow the Privilege Manager Server Configuration Wizard to complete the following steps:

      1. Install missing SQL Server components from the Internet.

      2. Back up your database.

      3. Configure a shared folder for client mass deployment.

    2. Click Finish to save the results and exit the wizard.

    3. If a message displays indicating that the Privilege Manager Host Service that needs to be updated is currently in use, click OK to ignore the message.

    4. To upgrade later, open the Privilege Manager Server Configuration Wizard and confirm that you are running the upgrade process before you configure the Server.

    5. Until you have upgraded the Server and database, you will have problems installing the Server locally.

    6. For more information, see Configuring the Server.

  6. Re-configure your Client data collection settings, if necessary.

    1. Select a GPO from the Group Policy Settings section.

    2. Switch to the Advanced Policy Settings tab.

    3. Double-click Client Data Collection Settings to configure settings using the Client Data Collection Settings Wizard. For more information, see Configuring Client data collection.

  7. After you upgrade, By Digital Certificate rules will be saved as By Path to the Executable rules.

  8. To upgrade Clients, install the newer version over the older one. For more information, see Installing the Client.

To upgrade Safeguard Privilege Manager for Windows to version 4.7

  1. Enter your password for the database.

  2. Open Safeguard Privilege Manager for Windows once the installation is complete.

  3. Follow the on-screen help to finish upgrading the product.

  4. If you are not prompted with the on-screen help:

    1. Open Safeguard Privilege Manager for Windows.

    2. Navigate to Configure a Server > Setup.

    3. Click Next.

    4. Choose Existing SQL Server Instance.

    5. Enter your password, click OK.

    6. Select the /PAREPORTING Instance Name option.

    7. Continue the installation according to the previous procedure on upgrading prior versions.

Uninstalling

You must have administrative privileges to uninstall the Console and Client from a local computer.

To uninstall Privilege Manager components

  1. Use the Windows Control Panel tool. The uninstaller completely removes all of the data.

  2. Once Privilege Manager for Windows is removed, its rules no longer apply.

For more information, see Removing the Server.

Repair

Safeguard Privilege Manager for Windows does not support repairing through the .msi installer.

To repair Safeguard Privilege Manager for Windows, reinstall the product.

For more information, see Installing Safeguard Privilege Manager for Windows.

NOTE: To ensure you can successfully reinstall the product later, uninstall it by following the steps of Uninstalling.

Configuring Self-Service Elevation

Detailed information about this topic

Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

To enable users to request permissions to use privileged applications, use the Self-Service Elevation Request Settings Wizard. Whenever a user attempts to run an application which requires administrative permissions for which they do not have rights, they are asked if they would like to send a request to their administrator for permission to run it.

You can select how users access the request form and set up Self-Service notifications to email you, the help desk, and your manager of each request. Then, you can process the request within the Self-Service Elevation Requests section of the Console and email your decision to the user, using the Console Email Configuration screen.

NOTE: In some cases, Self-Service Elevation and Blacklist rules could be configured for the same target application. In this case, Blacklisting takes precedence over Instant Elevation and prevents the application from starting. For more information about creating Blacklisting rules, see Using the Create Rule Wizard.

Troubleshooting

This section provides workaround information for issues you may encounter during installation.

Server configuration gets stuck

On rare occasions, server configuration gets stuck when installing prerequisites (CRL Types and Shared Management Objects).

Figure 1: Stuck prerequisite installation during server configuration

Workaround

  1. In Windows, open Control Panel > Programs > Programs and Features.

  2. Check if the CRL Types and Shared Management Objects dependencies are installed.

    • If both dependencies are installed, restart the computer, and run server configuration again.

    • If any of these dependencies are not installed, check if their installers are available in the following location:

      %ProgramData%\One Identity\Safeguard Privilege Manager for Windows\Downloads

      If the installers are available in the specified location, install them manually from there, then restart the computer, and run server configuration again.

    • If any of the dependency installers are missing from the above location, install them manually as described in the Offline installation section of the Safeguard Privilege Manager for Windows Administration Guide.

Error code 2356

If you encounter error code 2356 during installation, or the server configuration gets stuck while installing the prerequisites (CLR Types and Shared Management Objects), the Windows Installer service can end up in an incorrect state.

Workaround

  1. Close any in-progress installation.

  2. Open the Windows Task Manager.

  3. Search for the Windows Installer service under the Services tab (msiserver).

  4. Stop the service.

  5. Run the installer/process again.

Potential startup delay on Windows 10

If Data Collection is enabled, Safeguard Privilege Manager for Windows may start up with a delay on Windows 10 workstations, stuck on a please wait... screen for an extended period of time. This can occur if the workstation cannot resolve the DNS name of the configured Data Collection server.

Workaround

To solve the issue, replace the configured Data Collection server name with the IP address of the Data Collection server.

SQL Server 2014 Express installation fails

Occasionally, Safeguard Privilege Manager for Windows may fail to install SQL Server 2014 Express.

Workaround

  1. If possible, use a remote database instead of a local SQL Server installation.

  2. If using a remote database is not feasible, try to install SQL Server 2014 manually.

  3. If the issue still persists, contact our Support Team. Make sure you provide the SQL Server 2014 installation logs for One Identity Support from the following location:

    %ProgramFiles%\Microsoft SQL Server\120\SetupBootstrap\Log

Match rule failure for certain processes

If a process is running from a Universal Naming Convention (UNC) or mapped drive, rules that specify the file version, file hash, product code, or publisher might fail to match the process. This can happen if the security permissions set on the network resource prevent the computer account on which the Safeguard Privilege Manager for Windows Client is running to access it.

Workaround

In the Edit Rule Wizard, set User’s context will be used to resolve system and resource access for the rule. This setting allows the Safeguard Privilege Manager for Windows Client to access the network resource under the security context of the user running the process.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级