The local administrators group
If the computer is in a domain, the Domain Users group will be removed from the local administrators group right away.
That is all that happens initially. When a user logs on, the user will be removed from the local
administrators group, unless:
- You have unchecked the "Revoke admins rights" in the portal settings (see screenshot below)
- The user is in the list of excluded accounts in the portal settings
- The user is member of a group that is the local administrators group (such as domain admins)
The reason all users are not removed right away is to only remove accounts that are interactive user accounts and not accidentally
remove service accounts used to deploy software or similar.
Domain groups (except Domain Users) are not removed from the local administrators group. This means
that if a domain user logs on and is member of a domain group that is in the local administrators group
(for example a Help Desk domain group), the user is always local administrator.
In this case the tray icon is red and hovering it, you can see the tool tip saying "You are logged on as administrator".
Azure AD and computers outside domains
The software works exactly the same without a domain or for computers joint to Azure AD. For Azure AD, you can set up a connector
in the portal settings. You do not need to do this for Azure AD, unless you need to use subsettings, in which case you can set up
the connector to create subsettings based on Azure AD groups.
The software has built-in measures to avoid tampering with the software to become permanent administrator.
The users and groups administration will be removed entirely from Computer Management during an administrator session.
Even if the user still manages to tamper the local administrators group, the administrators group is snapshotted before the session
starts and restored after the session ends. If the user tries to add other users or groups to the administrators group, these will
simply be removed at the end of the session. If the user tries to uninstall Admin By Request during a session, Windows Installer will
show an error message saying that Admin By Request cannot be uninstalled during an active session. If the user tries to tamper policy
keys, these are also snapshotted and restored after sessions.
User Account Control
User Account Control (UAC) is still enforced (if enabled) to maintain the extra layer of security.
If the user needs to run an application during an Admin Session, the user still has to envoke "Run as administrator"
directly or indirectly and enter own credentials. This is intentional to avoid reducing the security level.
Admin By Request does not replace or tap into UAC for the reasons stated in the previous section.
Admin By Request does not replace User Account Control, like some other solutions do. This is a design choice.
Replacing Windows system files or components is dangerous and can lead to future problems because of Windows Updates, which could ultimately
break your OS installs to the extent that computers can no longer boot. This is especially true with Windows 10 feature updates that often
change basic functioning of the operating system. A significant advantage to the Admin By Request client software is that it does not change
or replace any system files or components and only uses what is already built into Windows. Because of this, it also does not consume any
resources at all, unless the user invokes the software.
Learning Mode helps you identify programs that requires administrator rights to use, before you take away user's admin rights.
When deploying Admin By Request, users are removed from the local administrators group, when Learning Mode is not enabled.
Before revoking these rights, you can enable Learning Mode in the portal settings, which will instead detect which applications users
actually run as administrator and collect them to a candidate list in the portal. When you see the list in the portal, as it is
collected from client, you can simply press a button on each candidate program and say whitelist or hide.
When Learning Mode is on and the user is still administrator and the tray icon will be a green plus.
You can generally blacklist applications you don't want users to run, such as Spotify or certains browsers.
You can also block users from elevating any Windows system file, which prevents users from running cmd.exe,
regedit.exe, mmc.exe, etc as administrator.
In the portal, you have settings for Workstations and Servers. These are the default settings.
You can then define overruling setting based on computer or user groups and/or Organizational Unit(s).
A common scenario would be to require approval for all users - except users in the IT department, who are
allowed to elevate without permission.
If you have questions not answered on this page, please contact us using the chat or the contact menu at the top.