Notes on Windows Client
User Account Control
User Account Control (UAC) is still enforced (if enabled) to maintain the extra layer of security.
If the user needs to run an application elevated, the user still has to select "Run as administrator" and
enter own credentials. If the user starts Windows Installer or similar, the installer will automatically
ask for elevation and trigger the UAC prompt to continue.
The administrators group and policy registry keys will be snapshotted before the session starts and restored after a session ends.
If the user tries to add other users or groups to the administrators group, these will simply be removed at the end of
the session. If the user tried to uninstall Admin By Request during a session, Windows Installer will show an error message
saying that Admin By Request cannot be uninstalled during an active session.
If the user has a local admin account that no one knows about, this is not a problem. Because when a user logs on,
rights are simply revoked. The reason all accounts are not revoked in general, is because you may have service accounts
that you want to continue to have administrative rights.
Refer to our FAQ page
for more information.
Some legacy Windows applications require local administrator rights, simply because they were written back in the day,
when everything was open and using the same folder for application files and data was the norm. Or settings were
mistakenly written to HKEY_LOCAL_MACHINE. This in effect prevents you from taking away administrator rights.
But you can make a whitelist of applications with Admin By Request in the portal,
which will automatically elevate these applications on-the-fly without users
doing anything. You can also create blacklists
of programs you never want the user to run, such as cmd.exe or regedit.exe.
Maybe your company took over another company, so you have no idea, which legacy applications users have to run as administrator
to work. For this, we have a feature
called Learning Mode that you can configure in the portal. It's kind of a pre-production mode, where you install
the Admin By Request client, but it doesn't do anything but sit there and "listen" to which applications users
start as administrator. Then after a period of time, you can go through the collected list in the portal and click
a whitelist button on relevant applications. Once you are ready to go live, you simply disable Leaning Mode again and
Admin By Request starts revoking admin rights.
The hidden risk of security solutions
Replacing Windows system files or components can lead to future problems because of Windows Updates, which could ultimately
break your OS installs to the extent that computers can no longer boot.
A significant advantage to the Admin By Request client software is that it does not change or replace any system files or components.
It uses only what is already built into Windows. It also does not consume any system resources, unless it is invoked.