What is a one sentence summary of your feature request?
Add an option that allows a user with LPM permissions to elevate and run an application for another logged-in user who does not have the required permissions.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Currently, a user who lacks a specific LPM policy can use “Admin Approval” to run an application by providing a code or by entering credentials of another user who has local admin privileges.
However, in some cases a HelpDesk employee—who does have a global LPM policy to run any executable, but does not have local admin rights—is already assisting through an active remote session. They may need to run an application with elevated privileges within the end user’s session.
Right now, the end user must either send an Admin Approval code to the Cyber Security team or log off so the HelpDesk employee can log in and use their own LPM permissions.
It would be helpful to have a “Run as a different user using EPM” option, or an Admin Approval enhancement that allows elevation using another user’s existing LPM permissions, without requiring local admin credentials.
How do you currently solve the challenges you have by not having this feature?
- The user logs off so the HelpDesk employee can log in and apply their privileges.
OR
- The user opens a support case, submits the Admin Approval code, and waits for the Cyber Security team to authorize the request.
So we do have this; but only when brokered thru Netwrix Privilege Secure. Here’s the demo video.
I realize what you likely want is something without the server part brokering it; but there’s no way to do this without a server getting in the middle, because those other creds aren’t “lying around” on the endpoint machine in a way we can get them without something being tapped directly into active directory to switch user context.
-Jeremy, VP Endpoints
Hi,
First of all, thanks for the quick reply.
The demo video is not really what I’m looking to achieve.
Maybe I’m missing something or wasn’t understood, so I’ll try to clarify…
Let’s say USR1 is a standard user on a computer with no LPM (or NPS) policy applied beside exposing the Admin Approval option.
USR1 cannot run a setup.exe with admin privileges.
Normally, USR1 would need to Right Click → Run with EPM Admin Approval → Send a request code to Cyber Security team → Wait for approval and get a repones code to paste in the Admin Approval window.
Now, let’s say that HelpDesk employee HDSK1 is not a local admin and has an LPM policy applied that allows them to elevate any executable using Self Elevate.
HDSK1 is supporting USR1 and is connected to their workstation using remote tools (the logged in session is USR1), and decides to install an application to solve an issue.
So, HDSK1 needs USR1 to log off and then log in with their credentials to be able to Right Click → Run with EPM Self Elevate.
The question was if instead of having USR1 log off and log on using HDSK1 to be able to install the application, could HDSK1 use his Self Elevate permissions to elevate the installation for USR1 session (same as the option to enter different credentials in the Admin Approval window but instead of relying on the local admin rights, using the LPM policy that is applied to HDSK1)?
That means that the process will run elevated in USR1 context.
There’s no way to achieve that… with EPM or any other competitor as far as I know.
When USR1 is logged in.. HE is logged in.
When HSDK1 is logged in, he’s not really logged in… he’s a shadow over the actual logged in user.
As such there’s not really “two users” logged in… I’m not a place where I could test this fully, but since you pinnged me, I wanted to at least get back to you, even if not ideal.
But I can try to ask someone to see what is hapening. Also are you using standard RDP to remote into the box or something else?
But in short, if I get your meaning.. you want:
- Mr. USR1 to have no RULES.
- Mr. HDSK1 to have RULES.
-When HDSK1 is shadowing Mr. USR1’s session you would like HDSK’s rules to magically apply, thus running INSTALLER.EXE with elevated rights but actually with USR1 doing the elevation and not HDSK1 even though he’s the shadow.
Do I have it all right ?