The Safeguard Privilege Manager for Windows Administration Guide is intended for system administrators and describes how to use Safeguard Privilege Manager for Windows. The document contains detailed instructions on how to:
Prepare your environment for least privileged use.
Maintain a least privileged environment.
Interface with Microsoft tools.
For more information on how to configure and deploy the product, and how to use it by end users, see the following resources.
For system administrators
Safeguard Privilege Manager for Windows Quick Start Guide: This document lists the system requirements of the product, and also provides instructions on how to set up the Safeguard Privilege Manager for Windows Console, Server, and Client components. The document also provides an overview of the key product features and the wizards that will help you use them.
Safeguard Privilege Manager for Windows Console: To find additional information within the Console, navigate to the Additional Resources > Getting Started tab.
For end users with Safeguard Privilege Manager for Windows Client installed on their computers
What is Safeguard Privilege Manager for Windows?
Giving users administrator rights creates security risks but must be weighed against constant help desk calls for basic operations like updating Adobe Reader, Java, or simply changing the time zone on desktops.
Safeguard Privilege Manager for Windows lets you grant selected privileges to users so they can update their own computers, reducing help desk calls while maintaining a secure network. By automating user privilege settings, Safeguard Privilege Manager for Windows keeps users working. This allows you to focus on higher priority tasks, for exceptional resource and time savings.
As a system administrator, you can use Safeguard Privilege Manager for Windows to elevate and manage user rights quickly and precisely with validation logic targeting technology. This provides administrators the ability to create rules that allow administrator-level access to specific applications for specifics users. You can also enable your end users to request elevated privileges for specific applications through Self-Service and Instant Elevation.
Safeguard Privilege Manager for Windows is available in the following editions:
Privilege Manager Community Edition: This edition is free and does not require a license. You can collaborate, brainstorm new Elevation rules, share rules with other users, and provide bug reports and enhancement requests to One Identity.
Privilege Manager Professional Edition: This edition requires a paid license and includes additional security, discovery, and reporting capabilities, as well as technical support from One Identity.
Safeguard Privilege Manager for Windows Professional Evaluation: This edition is the free 30-day trial of Safeguard Privilege Manager for Windows Professional Edition. If you do not buy a license after 30 days, the software will revert to the lesser-featured Community Edition. As such, you cannot keep the features of the Professional Edition, but you can continue using the Community Edition.
When reverting back to the Community edition, you will need to re-save all computer-based Group Policy object (GPO) rules as user-based. Computer-based rules will no longer work on the client-side once the trial expires.
There are three software components included with Safeguard Privilege Manager for Windows:
The Safeguard Privilege Manager for Windows Console, installed via PAConsole_Pro.msi, is a management application. It is installed on a domain computer (server or workstation) and is used to create and manage rules within the Group Policy. Any user who has permission to edit a GPO can use the Console to set privileges.
The Safeguard Privilege Manager for Windows Server, installed through the Console, is a service which has several functions. It can deploy the Client, collect and report on data, and discover and process applications that require elevated privileges.
The Safeguard Privilege Manager for Windows Client, installed through PAClient.msi, is a service that runs on each client computer. It applies the rules created in the Console by monitoring processes as they are launched on the Client and elevates or lowers the privileges for processes that are configured to be monitored. This is done by injecting an administrative token into the process or revoking it.
Microsoft Active Directory and Group Policy are used to distribute Safeguard Privilege Manager for Windows rules to client computers.
Privilege Manager can modify privileges only for a standard user account, not a guest account. Elevated privileges can be revoked even if the user is a local admin.