Group Policy Control
Settings in the Admin By Request client application can controlled under "Settings", when signed in to this web site.
These settings can be overruled by local policy settings, which can be preferred in complex environments or
if company policy forbids having data in the cloud (this web site).
To set up custom policies, click the download button below to download a custom Admin By Request ADMX group policy file. On the server, on which you edit group policies,
unpack the zip file to C:\Windows\PolicyDefinitions (or PolicyDefinitions under SYSVOL for central store).
The settings will then appear under Computer Configuration.
DOWNLOAD ADMX FILE
Alternative without using a custom ADMX file
If you prefer, you can set the policy keys without using the custom ADMX file.
Policies are set under the registry key HKEY_LOCAL_MACHINE\Software\FastTrack Software\Admin By Request\Policies
and must be set using the Group Policy editor. KeyPath must be "Software\FastTrack Software\Admin By Request\Policies".
|AutoApprove||REG_DWORD||1||0||Enables automatic approval, if this setting is 1. If not configured or value is 0, cloud settings are used.|
|RequireReason||REG_DWORD||0||1||Enables requiring reason. If AutoApprove is 1, this reason is always rquired and this setting has no effect.|
|AdminMinutes||REG_DWORD||15||30||Number of minutes the user is administrator. This can also be set in your cloud settings.|
|Language||REG_SZ||Auto||Auto||User interface language. Default is to use the Windows user preference language. Forced language codes are English (EN), German (DE), Danish (DA), Spanish (ES) or French (FR).|
|EnableUAC||REG_DWORD||1||1||Enables UAC, if it is not enabled.|
|CleanAdminsGroup||REG_DWORD||1||0||This setting removes users from the administrators group at login time, unless the user is administrator based on a domain group membership or is logging on using the built in administrator account. Refer to the FAQ for more information.|
|DesktopIcon||REG_DWORD||1||0||Create desktop icon to elevate.|
|IconName||REG_SZ||Overrules the default name of the desktop and programs icon. Note that the default icon name is localized.|
|UserGroups||REG_SZ||If defined, the user must be member of at least one of these groups. Multiple groups are split by | (see notes below). This setting and the next three, can also be set in your cloud settings on this web site. Policies overrule cloud settings.|
|UserOUs||REG_SZ||If defined, the user must be located in one of these organizational units, or an OU under it. Multiple OUs are split by | (see next section).|
|ComputerGroups||REG_SZ||If defined, the computer must be member of at least one of these groups.|
|ComputerOUs||REG_SZ||If defined, the computer must be located in one of these organizational units, or an OU under it.|
|LogFile||REG_SZ||Optional log file. Every time a user elevates, it will be logged to this file.|
Additional Server Edition Settings
|LogAdminLogins||REG_DWORD||1||Logs the session log on and log off to the "Admin Logins" tab, when an administrator (the build-in administrator account or an account that is administrator through a group) logs on.|
|AccessRequestGroup||REG_SZ||Admin By Request Users||When not specified, the Admin By Request app will start. If the setting is set and the user is not a member, the Admin By Request app will not start. This setting is inteded to prevent the application from starting for Remote Desktop users on servers. Group and OU checks still applies.|
Group and OU delimiter
Multiple groups or OUs must be split by a vertical pipe, such as "Domain Admins|Customer Relations". This is because comma may naturally appear in groups or OU names and always appears in full distinguished names for OUs.
OUs can be specified as full distinguished name or simply the OU name itself. Note that if a OU name is not unique, the check will happen on either.
In a list, the user/computer must be member of one (not all) to allow administrator elevation.
Note that local users (except Administrator) can not elevate, when domain groups or OUs are in place.
Users can always request a PIN code for elevation, in case of an exception.
Auto elevated applications
Some legacy applications may always need to run as administrator. A list of applications can be set using policies.
For example, if Photoshop always needs to run as administrator (regardless of other settings), a name/data entry
can be set under the subkey "AutoElevatedApps". Only the value is used and it can be a full path to an exe file or just the exe file.
This feature requires UAC enabled to function and the user will be prompted for credentials on application start and must enter their
user name and password. This credentials prompt is a UAC limitation that cannot be bypassed.
But the application will run as elevated administrator without the user being administrator.
Applications that are never allowed to run, can be set using the "BlockedApps" subkey. These are applications that will always be
blocked from execution, regardless of being elevated or not.
Admin blocked applications
Applications can be blocked, only when the user is elevated by Admin By Request and only when user runs the application as administrator.
For example, if the user elevates to administrator, it would make sense to block Outlook.exe, so the user does start Outlook and click dangerous links.
Browsers could also be blocked, if the policy is that the must download software before elevation, to try to sandbox the installation as much as possible.
Note that a domain administrator can still log on and run this application elevated. It intentionally only applies to users elevating using Admin By Request.