262-299-4606 • Email us

Frequently asked questions

If your question is not answered here, feel free to contact us


How do I get started?

Click the "Download" top menu and register for a trial. The trial is 100% free and fully functional. You will get a login, where you download an MSI file to install on your test computers. Use these credentials to sign in at the top and set the settings as you like. After login, you will also see an audit log and a full software and hardware inventory of your clients. The mobile app is free.


What happens to the local administrators group after I install the client?

If the computer is in a domain, Domain Users will be removed from the local administrators group right away. That is all that happens initially. When a user then logs on, the user will be removed from the local administrators group unless:
  • You have unchecked the "Revoke admins rights" in the portal settings
  • The user is in the list of excluded accounts in the portal settings
  • The user is member of a group that is the local administrators group (such as domain admins)
The reason all users are not just removed right away is to only remove accounts that are actually interactive user accounts and not accidentally remove any service accounts. Please refer to the Windows client technical details page for more information.

How can I prevent users from tampering with the software and set themselves to become permanent administrator?

The users and groups administration will be removed entirely from Computer Management during an administrator session. Even if the user still manages to tamper the local administrators group, the administrators group is snapshotted before the session starts and restored after the session ends. If the user tries to add other users or groups to the administrators group, these will simply be removed at the end of the session. If the user tries to uninstall Admin By Request during a session, Windows Installer will show an error message saying that Admin By Request cannot be uninstalled during an active session. If the user tries to tamper policy keys, these are also snapshotted and restored after sessions. Please refer to the Windows client technical details page for more information.

How can we keep some domain users as local administrators?

Domain groups (except Domain Users) are not removed from the local administrators group. This means that if a domain user logs on and is member of domain group that is in the local administrators group (for example a Help Desk domain group) the user is always local administrator. In this case the tray icon is red and hovering it, you can see the tool tip saying "You are logged on as administrator". You can also specify specific user accounts to exclude in the portal settings. Please refer to the Windows client technical details page for more information.

Does it work without a domain?


Does it work with Azure AD joined machines?


How do I handle legacy applications that require admin rights and thereby prevents us from taking away users' admin rights?

You can pre-approve applications to automatically elevate, when the user starts the program in question. You simply enter the path to the program and that's it. If you are not sure, which applications are problematic, you can use Learning Mode; see next session.

What is Learning Mode?

Learning Mode helps you identify programs that requires administrator rights to use, before you take away user's admin rights. When deploying Admin By Request, users are removed from the local administrators group, when Learning Mode is not enabled. Before revoking these rights, you can enable Learning Mode in the portal settings, which will instead detect which applications users actually run as administrator and collect them to a candidate list in the portal. When you see the list in the portal, as it is collected from client, you can simply press a button on each candidate program and say it is pre-approved to run as administrator or hide it. When Learning Mode is on and the user is still administrator and the tray icon will be a green plus.

What if I need more complex group/OU rules?

In the portal, you have settings for Workstations and Servers. These are the default settings. You can then define overruling setting based on computer or user groups and/or Organizational Unit(s). A common scenario would be to require approval for all users - except users in the IT department, who are allowed to elevate without permission.

Where can I see client errors?

Please refer to the Application log in the Windows event log.

Can I install the Workstation edition on servers and Server edition on workstations?

You cannot install the workstation edition on a server. But you can install the Server version on a workstation.

What happens to the local administrators group, when I uninstall the client?

In licensed mode, nothing happens. In trial mode, revoked accounts will be put back in the local administrators group.


What happens to user accounts after I install the client?

When a user logs on, the account will be downgraded from Admin to User unless:
  • You have unchecked the "Revoke admins rights" in the portal settings
  • The user is in the list of excluded accounts in the portal settings
  • The computer is domain joined and the user is domain admin
Please refer to the Mac client technical details page for more information.

What is "Last Admin Check"?

If you log on to a Mac that is not joined to Active Directory and expect the user account to be downgraded from Admin to User, but it doesn't happen and the icon appears red in the toolbar, you are most likely hitting the "Last Admin Check". You can confirm this by clicking the red icon. The intention of this check is to make sure you always have a service account. If you don't have at least one admin account, you cannot change, modify or delete user accounts on the computer and you can never uninstall Admin By Request.

If you use the "Revoke admins rights" option to revoke user rights, all user accounts will be downgraded from Admin to User, when they log on. In the portal settings, you can specify user accounts that are excluded. These would typically be service accounts for a Help Desk or similar. If no excluded accounts are specified and the machine is not joined to Active Directory, the revoke will not be executed for the last administrator and it falls under the "Last Admin Check".

Please refer to the Mac client technical details page for more information.

How can I prevent users from tampering with the software and set themselves to become permanent administrator?

That is not a concern. When users get an administrator session, the user's role is not actually changed from user to admin. The user is granted all administrator rights - except the right to add, modify or delete user accounts. Therefore, there is no case, where the user can create a new account or change its own role and become permanent administrator. The user can also not uninstall Admin By Request, as the only program, to keep the administrator session open forever. Furthermore, all settings, configuration and program files are monitored during administrator sessions. If the user tries to remove or change any of the Admin By Request files, these are restored right away.

Which rights does a user have during an administrator session?

Users can install programs requiring admin rights, install drivers and change system settings other than user administration. User cannot run sudo or add, remove or modify user accounts.

How can I use different settings on different machines?

You would normally use subsettings for this. But you can also put overruling settings on machines to overrule portal settings. Refer to this page for instructions.

How do I uninstall Admin By Request?

Run the uninstall program /Library/adminbyrequest/uninstall. The program cannot be run during an Admin By Request administrator session.

Where can I see client errors?

You can find the error log under /var/log/adminbyrequest.log.


Do I need to approve each time a user wants administrator access?

No. You can use a setting after sign in to allow elevation without approval. In this case, you still get the benefits of auditing; who elevated, when and an auditlog of installed software and executed applications. In auto-approval mode, you can (and should) require the user to document a reason for administrator elevation, which you can later use to cross-reference actual activity. You can (and should) also enable the Codes of Conduct message/screen that will appear just before the session starts. The Codes of Conduct is a screen/message that is used to inform the end user of company policy and penalties for abusing administrator elevation.

Are other customers typically using auto-approval mode?

Yes. The most typical pattern we see for new customers is that they start with approval required. Then after an initial period, when the psychological effects on end users are clear and there is reassurance end users do not violate rules (see previous question), they shift to auto-approval mode combined with reason requirement and Codes of Conduct screen. This is the point, where the whole administrator access issue is truly solved, because now the system and administrator access rests with end users without any administration work on the server side.

Can I add more IT people to approve requests and see the auditlog?

Yes, in the portal, you can create more logins for more people. You can also define, which roles they have, such as access to audit log and if the person is allowed to approve requests.

How would I set up an external auditor?

You can create a portal user account that can only see the auditlog and optionally the inventory. No other data will be visible.

What if I want a manager IT to approve some requests?

You can set a scope for portal logins to only see part of the data based on the end users or computers groups and/or Organizational Units. For example, a sales manager can be set up to only see users and computers in sales. He will then only get approval requests from his own staff. You can also set up the manager to not have approval ability, but only ability to see the auditlog for his own staff.

Can I set up sub-administrators to only see part of the data?

Yes. You can set a scope for portal logins to only see and approve part of the data based on the end user or computers groups or Organizational Units. For example, an administrator in a region could be set up to only see and approve requests and data from computers in his own scope, assuming for example that all computers are in a specific Organizational Unit.

I am an MSP - how can I give my customer a limited view?

You simply create a user account that cannot approve requests. This way, your customer can see the data you choose without the ability to approve requests.


Should I be concerned about performance impact on my machines?

No. When users do not use the application, it does not consume resources, except for a brief daily inventory and settings check.


How is it licensed?

It it licensed by number of computers running the client software. Contact us for pricing.

Do I need two different licenses for Windows and Mac?

No. You buy a number of Workstation licenses and these can freely be mixed between Windows and Mac clients.


Is an internet connection required?

This may be surprising, but no. The client is only required to have an occasional internet connection (like a guest WIFI anywhere). The reason is, clients will ask the cloud service roughly once a day for current settings. The client then knows your current rules in case the user needs to elevate offline. If you then have auto-approval on, the client will allow the user to become administrator temporarily and will queue the data locally, such as time, installed applications, executed exe files as administrator and so on. Once the client has an internet connection again, it will flush the queue to the cloud service and you will get all data. This means that the client works exactly the same being online or offline. The only difference is the time you get the reporting data in the cloud service.

What happens, if approval is required and the client does not have internet access?

In this case the client can not allow the elevation and you cannot see an approval request. The client will intelligently determine it is indeed offline and on the approval screen, a note will automatically appear telling the user the elevation can only happen, if the user either seeks an internet connection or, if not possible, contact IT and get a daily PIN code. The PIN code is a code the client and server know without having communication. The PIN code will appear in the left menu on computer details in the inventory, if you enable approval mode.

Should I be concerned about internet bandwidth consumption?

Absolutely not. This has always been a primary focus on the development side, because metered connections still exist in some places in the world and, if the connection is bad, we don't want to consume bandwidth. Inventory data is collected intelligently, so only delta data is collected. If nothing changes from day to day and the user does not request admin elevation, no traffic happens. The actual data transferred from the client to the cloud service is minimal. If you take a random client and divide the traffic from typical use for a month, divide by days, we are talking about 5K of data per day. Or said in another way, you can expect a thousand machines to consume only about 150 megabytes of bandwidth per month.

How can you possibly know where my computers are?

When data is sent to the server, the sender IP address is cross-referenced to internet service provider (ISP) registration data. The expected accuracy is at a city level.


How is the data transferred to the cloud service?

Please refer to our SLA & Compliance for more information.

Which data is collected?

Please refer to our SLA & Compliance for more information.

How do you store the data?

Please refer to our SLA & Compliance for more information.

Are you fully GDPR compliant?

Yes. Please refer to our Data Processing Agreement and Privacy Statement for GDPR compliance and to our SLA & Compliance for more general information.

Can it help me with stolen computers?

Yes. Once the machine is booted, you get the public IP address of the thief's router. The client does not require anyone to log on to a computer to upload data, so when the thief turns on the computer, the inventory data is sent transparently. You can now see the public IP address and upload time in your client view and give this to the police. The police can then get the name and address of the IP address owner from the thief's internet service provider (ISP).

What happens when I delete a computer?

The collected data associated with the computer is deleted. If the computer then turns out to be alive after all, the computer will show up again and upload inventory data.


Is it free?


What are the minimum requirements?

The iPhone app works on iOS 10.0+. Android version works on version 4.4+ (KitKat).