- Database and Business Intelligence
- Desktop Management
- Disaster Recovery and High Availability
- Enterprise Application Development
- Identity Management
- IT Automation and Service Management
- IT Management
- IT Monitoring
- Messaging
- Networking
- Security and Compliance
- Storage Management
- Unified Communications
- Virtualization and Application Deployment
- Windows Administration
-
NEED HELP?
-
Visit our FAQ if you run into problems downloading our eBooks. If you are wondering why all of the chapters aren't available for some of the eBooks, we'll explain it here!
-
PAGE FEEDBACK
- Having a problem with this page? Please let us know!
by Greg Shields
A central hurdle in eliminating administrator rights completely lies with your mobile workforce. Although many of the applications you use within your brick-and-mortar offices may be tunable using the Application Compatibility Toolkit (http://nexus.realtimepublishers.com/tips/Eliminating_Administrator_Privileges/Tactics_in_Using_UAC_for_Eliminating_Administrator_Rights.php), your ability to easily assist your users diminishes rapidly when they leave the office.
As users leave the office, they’re more or less on their own in terms of IT support. Those users can obviously call into your Help desk to request assistance, but that assistance is always challenging without the ability to actually see their desktops. It is for this reason that many organizations today have implemented Internet-accessible solutions for remote support. Tools such as LogMeIn and Citrix GoToAssist, among others, provide a seamless way for your Help desk to see the problems as the user experiences them.
Yet having that ability to look over the shoulder of the user still doesn’t get around the occasional need for a remote user to perform an administrative action. Perhaps that user needs to change a network setting for a particular environment they’re connecting to. Or, they need to connect a local printer or other driver that as a standard user they just don’t have access to.
Even after you’ve gone through the effort of “fixing” your applications, these common tasks sometimes arise for users that are out of the office. Sometimes these tasks are even needed by users in the office as well. If you don’t want to grant them administrative privileges for all-the-time use, then how do you give them one-time access to solve the problem of the day? The answer lies in a capability of UAC that is sometimes called “over-the-shoulder” (OTS) elevation.
Normally, when a standard user attempts to perform some action that requires administrative privileges, that user is greeted with one of many “Access Denied” messages. This “Access Denied” reinforces to the user that they haven’t been given the privileges to accomplish the action; however, it does nothing for solving the user’s immediate need.
An alternative approach for these one-time requests involves setting Group Policy. Under Policies | Windows Settings | Security Settings | Local Policies | Security Options is a setting titled User Account Control: Behavior of the elevation prompt for standard users. Three options are available for this setting, as explained in its Explain tab:
- Prompt for credentials. When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- Automatically deny elevation requests. When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as a standard user may choose this setting to reduce Help desk calls.
- Prompt for credentials on the secure desktop. (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different username and password. If the user enters valid credentials, the operation continues with the applicable privilege.
This article series discussed earlier that many environments elected to turn off UAC entirely due to its noisiness. However, in doing so, turning off UAC also turns off its default behavior for standard users. For users without administrative privileges, UAC will by default replace the usual “Access Denied” error message with a prompt for alternate credentials.
This prompt for alternate credentials is different than the more-seamless elevation enjoyed by regular administrators. In this situation, the user has not been given administrative privileges. But, in order to accomplish a necessary task, they’ll need them. This dialog box provides a mechanism for an administrator to entire their own credentials to accomplish the task.
Assuming the credentials are correct and the alternate username and password have administrative privileges, the action will be accomplished. Combining this capability with Internet-based screen sharing through tools like those discussed earlier provides a comprehensive solution for assisting non-administrative users while they’re on the road.
What If There’s No Network?
Obviously the situation can arise where there is no network available for remotely sharing the user’s screen. If the user experiences their problem in an area where no network is available, or if the problem lies within the network connection itself, screen sharing simply won’t assist that user.
OTS elevations can assist during times like these as well. Recall that an OTS elevation requires the use of a separate username and password, one with administrative privileges. That username and password needn’t necessarily be a domain account. It needs only to possess local administrative privileges on the individual system where the problem occurs.
To assist in extreme situations like this, pre-positioning a special local account with administrative privileges on every laptop can be of assistance. That local account requires its own username and password, but only functions for the individual laptop. With such an account pre-positioned on the laptop, the Help desk can provide the necessary username and password to the out-of-the-office user so that the user can resolve their problem on their own.
Obviously, when that username and password combination is released to the user, it will then need to be changed at the next possible opportunity to protect its secrecy. Tools exist today that assist with the management of local accounts and passwords, providing mechanisms to reset those accounts when they have been compromised or at regular intervals. Look for solutions such as Lieberman Software’s Enterprise Random Password Manager as well as other freeware and for-cost solutions to assist with centrally managing your local account passwords.
About the Author
Greg Shields is an independent author, speaker, and IT consultant, as well as a Partner and Principal Technologist with Concentrated Technology. With 15 years in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft OS, remote application, systems management, and virtualization technologies. He is a Contributing Editor and columnist for TechNet Magazine and Redmond Magazine, and serves as the Series Editor for Realtime Publishers, the world’s leading provider of high-quality content for the IT market. Greg is a highly sought-after and top-ranked speaker for both live and recorded events, and is seen regularly at conferences like TechMentor Events, Microsoft Tech Ed, VMworld, and more. He is a multiple recipient of Microsoft “Most Valuable Professional” award.
If you found this tip helpful, consider downloading the following book:
 |
Follow Realtime on Twitter
Watch Realtime on YouTube
Add the Realtime RSS FeedSign up for our Realtime Nexus newsletters and book alerts and discover when new books on your favorite IT topics are available!
- © 2012 Realtime Publishers
- // Google Analytics Tracking