Test Scenario - Temporary Elevation of Domain User Account

circle with an i We are no longer updating this content regularly. Please visit our knowledge base for most current version.

Overview

SYNERGIX AD Client Extensions software allows domain users to have elevated privileges for specific duration ( default is 60 minutes ). This is particularly useful when the user must install legacy applications or install local printer drivers.

The Systems Administrators can explore the settings by launching Group Policy Management Console, selecting the GPO and expanding the node ...

+ Computer Configuration

+ Administrative Templates

+ SYNERGIX AD Client Extensions

+ Domain Users

+ Manage Domain Users Account Membership in Local Groups

 

Prerequisites

  • Supported Microsoft Windows Operating System
    • Microsoft Windows 7.0 or 
    • Microsoft Windows 8.0 or 8.1
  • .NET Framework 
    • .NET Framework 4.0 for SYNERGIX AD Client Extensions 2014
  • Domain Membership in Microsoft Active Directory domain
  • Microsoft Outlook or other EMail client for Microsoft(R) Windows(TM)
  • SYNERGIX AD Client Extensions 2014

 

Active Directory Domain Environment

  • Single Active Directory Domain environment i.e. Single Forest with Forest Root Domain only example. F10.LOCAL
    • You can setup a more complex Active Directory Domain environment, if needed.  For example, one forest F10.LOCAL with child domains D10.F10.LOCAL, D11.F10.LOCAL and D12.F10.LOCAL and a trusted forest F20.LOCAL with child domains D20.F20.LOCAL, D21.F20.LOCAL and D22.F20.LOCAL

 

  • Security Group(s)
    • Create a security group called "SYNERGIX ADCE Managed Computers".  The group type may be Domain Global Group or Domain Local Group.
    • Add the test domain computer(s) into the security group "SYNERGIX ADCE Managed Computers"
    • SYNERGIX ADCE Managed Local Groups(This security group is used as a security filter, only the members of this group will mapped to selected  local groups).
    • Add the user to the  SYNERGIX ADCE Managed Local Groups security group
  • Delegate Control
    • Not applicable for configuring this feature
  • Configure domain Group Policy Object
    • Copy SYNERGIX AD Client Extensions Administrative Template file SYNERGIX-ADCE.ADMX to %SystemRoot%\PolicyDefinitions on admin workstation ( must be Windows 7.0 ) 
    • Copy SYNERGIX AD Client Extensions Administrative Template Language file SYNERGIX-ADCE.ADML to %SystemRoot%\PolicyDefinitions\en-US on same admin workstation ( must be Windows 7.0 ) 
    • Using GPMC.MSC, edit existing or new Group Policy Object.
    • In Group Policy Editor, expand COMPUTER CONFIGURATION
    • Expand Administrative Templates
    • Expand SYNERGIX AD Client Extensions
    • Expand Domain Users
    • Select Manage Domain Users Account Membership in Local Groups and right click select properties
    • Click on the Enable radio button to enable the policy setting
    • Set the Command Run Interval to 15 minutes
    • Set the Validation Interval to 15 minutes
    • Set Duration Interval to 60 minutes. This is the time for which the domain user will have elevated privileges on his / her workstation.
    • Ensure you have a security group called SYNERGIX ADCE Managed Domain Users - Apply Users.  Users in this group will get elevated privileges.  See note below.
    • Ensure you have a security group called SYNERGIX ADCE Managed Domain Users - Deny Computers.  These computers are excluded from the policy.  It means domain users will never have their privileges elevated by SYNERGIX AD Client Extensions software.  Even if you're not excluding any computer, the security group must still exist.
    • Set User Notification Interval to 5 
    • Customize Notification Message Title and Message as desired.
    • Check the local security groups the user must be made member of temporarily.

Note: 

You must grant the 'Write Members' permission on this group object to the "SYNERGIX ADCE Managed Computers" security group. The 'Write Members' permission is used by the domain computer account i.e. NT AUTHORITY \ NETWORK SERVICE to remove the domain users from the APPLY group when the duration elapses.    

 

Additional Information

For ease of administration, may be set the description on the two security groups as follows. 

SYNERGIX ADCE Managed Domain Users - Apply UsersOnly the members of this group can have the privilege for the specified amount of time.

SYNERGIX ADCE Managed Domain Users - Deny Computers: User logging into computers that are member of this group are excluded from the policy.

 

Procedure

  • Log into a domain computer with the domain user account that has administrative privileges.
  • Ensure the SYNERGIX AD Client Extensions specific Group Policy settings are applied
    • Launch RSOP.MSC or run GPRESULT.EXE /v to confirm
  • Install SYNERGIX AD Client Extensions software
  • Run gpupdate/force 
  • Logout
  • Log into the computer with domain user account.
  • From your admin workstation, add the domain user account to SYNERGIX ADCE Managed Domain Users - Apply Users security group.
  • Wait to be prompted. You should see a message that your privileges have been elevated and you are required to enter your password to accept this change. 
  • Perform some administrative task.  For instance, you can install a software that requires administrative privileges.
  • Wait for 60 minutes.
  • Uninstall the software that you previously installed.  It should fail because your privileges are automatically revoked after 60 minutes.

 

Test Results

  • Pass or
  • Fail

 

Test Result Submission

  1. Complete the Test Environment worksheet
  2. Upload test results document file to software test repository
Note: You must use ADCE \ Help \ Submit Log Files button to zip up above 3 files and submit
 
 

References

N/A

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk