Hey @MikeK  , enabling this feature in a application group will surely give you the difference which component of the application and is running with admin privileges or not.

But in order to find which applications are running as admin or not. There are default Application groups created in the Quickstart policy by Beyondtrust that allows you to define which applications are running with admin privileges and  whom with “Run as administrator” behavior.

These Default groups will surely give you the difference to find the application with admin behavior , Run as administrator behavior and passive as well.

Hey @MikeK,

There is probably a bit to unpack here, before we want to start suggesting specific solutions. 

First is for us to understand whether these users you are trying to monitor are currently working as standard users or do they still have admin accounts they are either logging in with, or which they are using for the ‘Run as’ action? 

Assuming they are (or maybe were) working under an EPM policy, have you deployed our standard ‘QuickStart’ template and if so which workstyle do these users typically fall under?  Also, how long have you had EPM deployed for?

Finally, where you get getting this push back from users that EPM is “getting in the way”, have they given you examples of the impact?

Whilst Akshay’s suggestion can be useful to understand the privilege requirements of applications, and may be a mechanism we could consider using - it may not be the easiest or most effective path forward.

Hi @Akshay Sharma - These are all in essentially using wildcards for file names, code base, publisher, ect. I had looked at these initially when starting down this journey, but I was curious if that is what other customers have leveraged, or if they came up with their own method to track those use case elevations.

Hi @Paul - To provide the additional clarity, these are users who have local admin rights on the machines (unfortunately). Some of these user’s absolutely refused to have EPM installed (A battle that I will win over time when I enable agent protection, and they can’t uninstall it ever ) 

My organization has had EPM installed for a few years, though it was unfortunately just slapped in to replace local admin rights with giving everyone the ability to elevate applications. I was hired to take over the maturation of the product and help to push it forward into a High. Medium, Low flex standpoint. However, I need to start to get an understanding of the individuals' usage that are constantly leveraging an exception process so that I can take those applications into consideration.

The few that have provided examples of EPM getting in the way I have been able to negate and prove its not actually EPM, or when it is, it's that EPM was mis-configured in a way that was causing the issue to start with.

I’ve never really had to worry about what others are elevating as former companies were very strict with what applications you could even elevate and 99% of the employees had zero need to elevate applications.