Scribd Logo
Upload

Welcome to Scribd!

  • How To Configuring Access Director?

    Uploaded by

    Jessica Johnson
    23 views22 pages
    Access Director is a simple and intuitive way to remove local administrative privileged access management with Admin by Request. Stay in control with Access Information Management. Alternative of Admin By Request.

    Original Title

    How to Configuring Access Director?

    Copyright

    © © All Rights Reserved

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Access Director is a simple and intuitive way to remove local administrative privileged access management with Admin by Request. Stay in control with Access Information Management. Alternative of Admin By Request.

    Copyright:

    © All Rights Reserved
    Flag for inappropriate content
    23 views22 pages

    How To Configuring Access Director?

    Uploaded by

    Jessica Johnson
    Access Director is a simple and intuitive way to remove local administrative privileged access management with Admin by Request. Stay in control with Access Information Management. Alternative of Admin By Request.

    Copyright:

    © All Rights Reserved
    Flag for inappropriate content
    of 22

    How to Configuring Access Director?

    • Configuring Access Director using Group Policy Group Policy tools use Administrative template files
    to populate policy settings in the user interface. This allows administrators to manage registry-
    based policy settings.

    This download includes the Administrative templates released for Windows Server 2012 R2, in the
    following languages:
    • en-US English - United States

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Supported Operating System

    • Windows 7 32-bit and 64-bit Editions


    • Windows 8 32-bit and 64-bit Editions
    • Windows 8.1 32-bit and 64-bit Editions
    • Windows 10 32-bit and 64-bit Editions
    • Windows Server 2008
    • Windows Server 2008 R2
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
    Importing Access Director administrative template files To import an ADMX file, copy the ADMX and
    ADML files to the folder C:\Windows\PolicyDefinitions folder on the machine performing the group
    policy object editing. If you're using a central store, copy the ADMX and ADML files to the folder
    SYSVOL\<domain>\policies\PolicyDefinitions\ Group Policy Settings

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Standard Settings
    Contains settings to control the behavior of Access Director.
    Enable Local Security Group:
    If you enable this policy setting, Access Director will validate if the current user is member of the
    defined group. If you enable this policy setting and the local security group does not exist or
    user is not a member, Access Director will restrict the user from assigning privileges. User is
    required to be direct member, as service do not resolve local group or domain group
    membership. If you disable or do not configure this setting, Access Director does not validate
    against a Local Security Group allowing current user to assigned privileges.
    Scope: Machine
    Value: Group name
    Default Value: Access Director
    Set time-span for assigning privileges:
    This policy setting sets the time-span for users to gain administrative privileges. If you enable
    this setting, time-span can be from to one to 60 minutes. If you disable do not configure this
    setting Access Director will use default value.
    Scope: Machine
    Value: 1 minute, 2 minutes, 5 minutes, 10 minutes, 15 minutes, 20 minutes, 30 minutes, 1 hour
    Default Value: 2 minutes

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Set User Name Presentation

    This policy setting set the presentation of the user name for the Access Director Tray icon. If you
    enable this policy setting, user name can be set as Username, Full name or Domain\Username.
    If you disable or do not configure this policy setting, Access Director will use existing settings.
    Scope: Machine
    Value: 1: User name, 2: Full name, 3: Domain\User name
    Default Value: 2: Full name
    Active Directory:
    Contains settings to control behaviour of Active Directory settings.
    Active Directory Refresh:
    To specify the Active Directory refresh interval, click Enabled and then enter a value. The value
    that you specify is the number of minutes to use for the Active Directory refresh interval. For
    example, 60 minutes is 1 hour. Note: Setting has no effect if “Active Directory Integration” setting
    is disabled or not configured.
    Scope: Machine
    Value: 60 (default)
    Default Value: Not configured

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Active Directory Cache

    If you enable this policy setting, renewing cached information is required within the specified
    renewal interval. If cached information fails to validate within the renewal interval, Access
    Director will deny assigning privileges. To specify the cache renewal interval, click Enabled and
    then enter a value. The value that you specify is the number of days to use for the cache
    renewal interval. Note: Setting has no effect if “Active Directory Integration” setting is disabled or
    not configured.
    Scope: Machine
    Value: 1 day, 2 days, 3 days, 4 days, 5 days, 6 days, 1 week, 2 weeks
    Default Value: Not configured
    Active Directory Integration:
    If you enable this this policy setting, Access Director will be able to integrate to Active Directory
    for assigning privileges validation. If you enable this this policy setting, the computer must be
    domain-joined.
    Scope: Machine
    Value: None
    Default Value: Not configured

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Set Active Directory Group
    If you enable this policy setting, Access Director will attempt to validate assignments request
    using Active Directory integration. If group is not available, Access Director will use cached
    information.
    Note: Setting has no effect if “Active Directory Integration” setting is disabled or not
    configured.
    Scope: Machine
    Value: Privileged Users (default)
    Default Value: Not configured
    Advanced Settings:
    Contains settings to control advanced settings for Access Director.
    Assign privileges at login:
    If you enable this policy setting, Access Director will is assign privileges to the users at login.
    Following the users is not required to use tray icon to assign privileges and the user is having
    privileges assigned during the whole login period. If you disable or do not configure this policy
    setting, the users is required to use tray icon to assign privileges.
    Scope: Machine
    Value: None
    Default Value: Not configured

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Enable Resuscitate
    If you enable this policy setting, you can specify if Access Director will preserve local
    administrator membership during logoff/restart/shutdown (not recommended). If you disable or
    do not configure this policy setting, Access Director will remove the user from the local
    administrator group during an active time-span.
    Scope: Machine
    Value: 1: Preserve elevation during logout/login, 2: Preserve elevation during restart/shutdown, 3:
    Preserve elevation for all.
    Default Value: Not configured
    Enable user configuration:
    If you enable this policy setting, end users can be giving access to configure settings. Settings
    available: Allow Basis configuration (Assignment time, Identity), Allow Advanced configuration
    (AssignAtLogin (disable timer)), Allow Resuscitate configuration (Hidden from configuration
    window). If you disable or do not configure this policy setting, end users does not have access
    to configure settings.
    Scope: Machine
    Value: 1: Allow Basis configuration, 2: Allow Advanced configuration, 3: Allow Resuscitate
    configuration
    Default Value: Not configured

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Enable Verbose Logging

    If you enable this policy setting, Access Director will do verbose logging to
    %TEMP%\AccessDirector.log. If you disable or do not configure this policy setting, Access
    Director will maintain standard logging.
    Scope: Machine
    Value: None
    Default Value: Not configured
    Audit Settings:
    Contains settings to control behavior of Access Director Audit settings.
    Audit Logging:
    If you enable this policy setting the Access Director activity is logged in plain text in the audit log
    placed in %TEMP%\. If you disable or do not configure this policy setting, Access Director do
    not maintain an audit log.
    Scope: Machine
    Value: None
    Default Value: Not configured

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Audit Elevated Files

    If you enable this policy setting the Access Director file activity is logged in plain text in the audit
    log placed in %TEMP%\. If you disable or do not configure this policy setting, Access Director
    do not maintain an audit log.
    Scope: Machine
    Value: None
    Default Value: Not configured
    Enable reason for assigning privileges prompt:
    This policy setting allows you to specify whether Access Director will request ‘reason for
    Assigning Privileges’ prompt as part of the assignment process. If you disable or do not
    configure this setting, ‘reason for Assigning Privileges’ prompt is not active. Note: Setting has no
    effect if “Audit Logging” setting is disabled or not configured.
    Scope: Machine
    Value: None
    Default Value: Not configured

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Set Audit Refresh Interval

    To specify the Audit refresh interval, click Enabled and then enter a value. The value that you
    specify is the number of minutes to use for the Connector refresh interval. For example, 60
    minutes is 1 hour.
    Scope: Machine
    Value: None
    Default Value: Not configured
    Set Audit URL:
    If you enable this policy setting, Access Director will upload the audit logs to the defined URL. A
    properly crafted web-service must available and you have to specify the Audit URL. If you
    disable or do not configure this policy setting audit logs are not collected. Note: Setting has no
    effect if “Audit Logging” setting is disabled or not configured
    Scope: Machine
    Value: http://<servername>/upload.php
    Default Value: Not configured
    Localization Settings:
    Contains settings to control balloon language behavior.

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Enable Preferred UI Language

    If you enable this policy setting, Access Director will use to the selected ‘UI language’. If you
    disable or do not configure this setting, ‘UI language’ will use Windows Display Language as
    reference. Note: If you configure a language and no applicable .LNG files is not present, Access
    Director ‘UI language’ will default to English.
    Scope: Machine
    Value: Arabic, Bulgarian, Croatian, Czech, Danish, Dutch, English (default), Estonian, Finnish,
    French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Lithuanian,
    Norwegian, Polish, Portuguese (brazil), Portuguese (Portugal), Romanian, Russian, Serbian (Latin),
    Simplified Chinese, Slovak, Slovenian, Spanish, Swedish, Thai, Traditional Chinese (Hong Kong),
    Traditional Chinese (Taiwan), Turkish, Ukrainian
    Default Value: Not configured

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Enable Preferred UI Reference

    If you enable this policy setting, you can specify the behavior for UI language is following
    Windows Display Language or the defined Keyboard layout. If you disable or do not configure
    this setting, ‘UI language’ will use Windows Display Language as reference.
    Note: If you configure a language and no applicable .LNG files is not present, Access Director ‘UI
    language’ will default to English.
    Scope: Machine
    Value: Windows Display Language, Keyboard layout
    Default Value: Not configured
    Token Elevation:
    If you enable this policy setting, users will be able to right click the tray notification icon and
    request elevation using a PIN code.
    Scope: Machine
    Value: 1
    Default Value: Not configured

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Shared Token

    When token elevation is enabled, the encrypted shared key must reside in the ShareToken data
    field.
    Scope: Machine
    Value: 1
    Default Value: Not configured
    Configure Access Director using the Registry:
    If a registry entry must be created or modified to correctly configure the product, you can edit
    the entry directly using the registry editor Regedit.exe.
    Do not edit the registry unless you have no alternative. The registry editor bypasses standard
    safeguards, allowing settings that can damage your system, or even require you to reinstall
    Windows. If you must edit the registry, back it up first and see the registry reference.

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    To Create a New Registry Entry by Using the Registry Editor

    • In the Run dialog box, type regedit, and then click OK.
    • In the registry editor, navigate to the key or subkey under which you wish to add an
    entry and select the name of the key or subkey by clicking on it.
    • On the Edit Menu, point to New and then click the data type for the entry, such as String
    Value, Binary Value, or DWORD Value.
    • In the details pane, type the name of the registry entry, and then press ENTER to create
    • the entry.
    • To assign a value to the registry entry, right-click the entry and then click Modify. If the
    entry has been defined as Binary Value, click Modify Binary Data instead.
    • In the Edit Value Type Value dialog box, type an appropriate value in the Value data text
    box. Type or select the value of other options, such as the base (hexadecimal or decimal) for DWORD
    values, and then click OK.

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Registry Options in Alphabetic Order
    AccessGroup AuditURL
    Type: REG_SZ Type: REG_SZ
    AccessPeriod ConnecterRefresh
    Type: REG_DWORD Type: REG_DWORD
    ActiveDirectory Connector
    Type: REG_SZ Type: REG_DWORD
    ActiveDirectoryCache ConnectorURL
    Type: REG_SZ Type: REG_SZ
    ActiveDirectoryGroup ElevateAtLogin
    Type: REG_SZ Type: REG_DWORD
    ActiveDirectoryRefresh Identity
    Type: REG_SZ Type: REG_DWORD
    Audit Language
    Type: REG_DWORD Type: REG_SZ
    AuditElevatedFiles PreferredUIReference
    Type: REG_DWORD Type: REG_SZ
    AuditRFE Resuscitate
    Type: REG_DWORD Type: REG_DWORD
    SharedToken UserConfig
    Type: REG_SZ Type: REG_DWORD
    TokenElevation VerboseLogging
    Type: REG_SZ Type: REG_DWORD
    WebAduitInterval
    Type: REG_DWORD

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Default Registry Configuration

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Basic Bytes\Access Director

    Name Type Data


    AccessPeriod REG_DWORD 120
    Audit REG_DWORD 1
    AuditElevatedFiles REG_DWORD 1
    AuditPrograms REG_DWORD 1
    AuditRefresh REG_DWORD 3600
    AuditRFE REG_DWORD 1
    AuditURL REG_SZ http://accessdirector
    Language REG_SZ Auto
    VerboseLogging REG_DWORD 1

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Configuring PIN Elevation

    The use of PIN Codes can be combined with the normal elevation process or with Active
    Directory Integration, PIN Code elevation can also work as sole way of elevation.
    Registry requirements:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Basic Bytes\Access Director

    Name Type Data


    TokenElevation REG_SZ 1
    SharedToken REG_SZ {ENCRYPTED SHARED
    TOKEN}

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    The generate the encrypted shared Token:

    1. Open the OTP Key Application


    2. Click Advanced
    3. Insert Random 16 digit string
    (a). Can be generated from https://www.random.ord/strings or any other random
    string generator.
    4. Click Enter
    5. Copy the Shared Key and Encrypted Shared Key
    6. Click Close
    7. Type the Shared Key in the OTP Key Application
    8. Click check
    9. Save the Encrypted Shared Key to the click Registry location SharedToken
    (a). Client restart is not required.
    When a user requests privileges by right clicking on the access director icon in the tray
    notification area, a PIN Verification prompt is shown.
    The user code must be entered into the OTP Key Application by service desk or an automated
    framework.
    A response key (Generated Code) will be available and should be given to the user.

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Known issues

    Group Policy: UAC deny – set by Microsoft Policy


    Restricted Groups might remove user from Admin group
    User member of Local/Domain/Nested groups that grants access for interactive users

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Contact Details

    Company: Basic Bytes


    Address: Humlevej 20, 8543 Hornslet
    Denmark
    Phone: +45 81818481
    Email: info@Basic-Bytes.com
    Website: https://basic-bytes.com/
    Download Access Director: Access Director

    Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes


    Thank You

    You might also like