Admin By Request allows you to permanently remove your users administrator rights and instead have users request a temporary real-time time-limited administrator session.
Windows: Users are removed from the local administrators group at logon.
Mac: Users are downgraded from admin role to user role.
The user is limited to install software and perform trivial tasks. The user cannot change local users or tamper the system during an administrator session. Furthermore, Admin By Request cannot be uninstalled during temporary administrator session. This prevents the user from keeping the temporary administrator session permanently by uninstalling the product.
Windows: Admin By Request will remove Domain Users from the local administrators group and all local or domain accounts that logs on interactively that are not either administrator through a domain group or is the built-in administrators account. This is by default disabled on servers, but can be enabled through policies.
Mac: User’s admin role will be downgraded to user role and granted certain rights during an administrator session without getting the full privileges of an Admin.
Windows: Admin By Request snapshots the administrators group, when a user is granted a temporary administrator session. If the user puts a user account or domain groups into the administrators group during an administrator session,
Mac: On Mac the version, this problem does not exist in the same way, because the user is not really promoted to be a full administrator. The user can during an administrator sessions do everything – except change, add or modify user accounts.
In the portal on this web site, you define rules for approval of temporary administrator sessions. You can install a custom ADMX file in your environment to control these locally. This also allows you to add granularity by having different settings for different OUs through different Group Policies. You can also add blacklisting and whitelisting of applications through Group Polices.
Using Group Polices, you can create a list of applications you never want users to run, either permanently or only during administrator sessions. You can also add legacy applications that will auto-elevate to administrator privileges on start, which is sometimes the only reason administrator privileges cannot be removed from workstations.
Admin By Request will automatically adapt to the operating system language of the user. Supported languages are English, German, Spanish, French, Danish, Swedish and Norwegian.
File logging will log to a log file, when a user is granted temporary administrator access and when the session ends.
When a user requests an administrator session and you do not have auto-approval enabled, you receive an email in real-time with a link to approve of deny the request. The email notification ensures that the end user will not have to wait until someone logs in to the portal and check for administrator requests.
When a user is granted an administrator session, the session is audited to the portal, meaning start end end time, user name and a delta of installed and uninstalled applications during the session. This allows you to cross-reference the reason the user gave to be granted the session with actual delta of applications on the machine during the administrator session.
You get a full hardware and software inventory in your cloud portal on this web site by installing Admin By Request on a machine, even if no one uses the application to request sessions.
In case approval mode is enabled and a computer is without internet connection, as PIN code can be granted to elevate offline.
The members of the administrators group are collected as part of your inventory. This allows you to catch unexpected administrator accounts across your network in a simple flat view.
On servers, when any administrator logs on, the session is audited in the same way as an approved elevated temporary administrator session. The audit of elevated sessions combined with these administrator logons give you a complete central picture of all administrator access on your servers in real-time. On a server, the request access icon will not appear, except for users who are member of a specific domain group. This allows you to put for example external consultants in this group. When a normal user has a remote desktop session, the icon will not appear. An administrator will see a red icon and a member of this domain group will see the request administrator access icon, just like on a workstation. Then once the external consult is on the server, he has to request administrator access on a case-by-case basis instead of having permanent administrator rights.