Hi AllWe are facing one issue in our policy for windows assets. our requirement is1.when user will try to elevate itself by executing any exe file using "run as different user" (shift+right click+run as different user) user should get the EPM message asking for reason.2. We have created on application group and rule and added it high flexibility work style.3. when user is trying to run the CMD file as different users, user is not getting EPM message to ask for reason. here what I did on my LAB.create on application group and added eclipse.exe in it create the rule under high flex policy , and used the group. I have placed this rule at top so that it gets enforced and not overridden by other rules . Placed it above Add Admin -High flex I have added below rulesmessage : All Message(yes/no),Access Token : Add Basic Admin Rights,Raise event : on Enabled: Enable When I am opening eclipse , by double clicking , I am getting EPM prompt asking Yes/No this is working as expected. However when I am doing run as different user" (shift+right click+run as different user), I am not getting EPM Prompt . can anyone please help and let me know what I am missing Regards,Imran Aliyani

Run as different user is not giving EPM Prompt

Hi All

We are facing one issue in our policy for windows assets. our requirement is

1.when user will try to elevate itself by executing any exe file using "run as different user" (shift+right click+run as different user) user should get the EPM message asking for reason.

2. We have created on application group and rule and added it high flexibility work style.

3. when user is trying to run the CMD file as different users, user is not getting EPM message to ask for reason.

here what I did on my LAB.

create on application group and added eclipse.exe in it
create the rule under high flex policy , and used the group.
I have placed this rule at top so that it gets enforced and not overridden by other rules . Placed it above Add Admin -High flex
I have added below rules

message : All Message(yes/no),

Access Token : Add Basic Admin Rights,

Raise event : on Enabled: Enable

When I am opening eclipse , by double clicking , I am getting EPM prompt asking Yes/No this is working as expected. However when I am doing run as different user" (shift+right click+run as different user), I am not getting EPM Prompt .

can anyone please help and let me know what I am missing

Regards,

Imran Aliyani

Page 1 / 1

Hi Imran.

Let’s start with the basic, the option to use Right Click and Run as a Different user, does not mean you would default provide Admin rights to the launch, only Run as Administrator does that.

If the option is used to Run as Different User, if the user provides credentials that is a true administrator it would still prompt the native UAC with a Yes No consent before launching. (this depends on UAC settings)

If you want to ensure a admin token is applied we can hide the option to Run as Different User forcing users to use Run as Administrator.

If you need specific users to authenticate, use the message option with Designated User can Authenticate, and or the option to Run in context of authenticated user for tools like ADUC DNS etc.

Running something as a Different user, it will still apply policy rules if filters match.

Jens

Hi Jens,

thank you so much for quick assistance. If we want to disable the option run as different user, is it done via EPM console? or we need to do make changes to user machine setting using GPO?

Regards,

Imran Aliyani

I would assume that we are using PM Cloud to manage the clients?

This is done in your EPM Policy.

If you take a look at my last screenshot ( click on it and it becomes BIG ) But click Rule in your Workstyle → On-Demand Rules → Expand the On-Demand Integration Settings → Add a Custom On-Demand…. then check of Hide Run as...

Note this will hide both Run as different User and Run as Administrator.

We have a little bit of a mix, I would like to know what you would like to accomplish, as I think there is a miss perception of how Run as Designated user work and Run as Administrator.

If we remove EPM, running as designated user it does not elevate the process even if the credentials used have Admin rights, If the application execute does require Admin rights, it will give you a native Yes/No Prompt and use the default Windows Split Token, but only if the app triggers UAC and request admin rights. See Gif and note integrity level and User Name in the different scenario.

Knowing what you would like to accomplish could help me guide you in a better direction.

To do this in High Flex does not make much sense, as that Workstyle is designed to function and simulate the user having “Admin Rights”

Jens

Hi Jens

Thank you for the reply. below are my requirement details

1. Yes we are using cloud version of EPM

2. We are just starting to build the EPM instance in customer environment. currently customer requirement is not to block any of user activities that users are doing

3. user will continue to perform there day 2 day activities. However we want to audit the user justification when they are elevating themselves. we will analysis the analytics report and latter based on that we will fine tune our policies and distribute users in high/ medium/ low flex policy more efficiently

4. currently my only requirement is if user tries to elevate himself as Adminstrator or run as different user, user should get the EPM dialogue box where users will provide the justification for elevation and username and password. this should also happen when user tries to install/ uninstall any software on it machine.

based on my above requirements can you please guide me how can i achieve this?

apologies if my question are very basic i am new to EPM and trying to learn and implement.

Thanks in advance

Regards

Imran