AutoElevate allows for rapid conversion of users to Standard user privileges and can ensure enforcement of your security policies. This can be done individually on a computer-by-computer basis, location, company, or globally from the ‘Computers’ menu in the Admin Portal. By default, AutoElevate does not remove Admin privileges but can be set to do so once agents are in Live or Policy mode.
How does it work?
When the “Remove Admin Privileges” setting is enabled (set to “On”), this setting automatically removes the currently logged in user from the local Administrators group. The user would then need to logout/login for their Admin Privileges to be completely removed.
- For example, if Todd@MyDomain.local is explicitly part of the local administrator’s group on the computer and the “Remove Admin Privileges” is set to “On”, then when the user logs in, the account (Todd@MyDomain.local) will be removed from the local Administrator's group.
- This functionality does NOT affect domain group membership OR modify domain groups on the local machine.
- For example, if the user is part of the “Domain Admins” group they will not be changed. Or, if the “Domain Users” group is part of the local Administrators group, then the domain user will still have Admin privileges. Domain groups and permissions will need to be managed separately.
- For example, if the user is part of the “Domain Admins” group they will not be changed. Or, if the “Domain Users” group is part of the local Administrators group, then the domain user will still have Admin privileges. Domain groups and permissions will need to be managed separately.
Before You Begin
Be sure to set which accounts should NEVER be changed
The list of exceptions can be set globally on the Settings screen, Click on Edit (‘pencil’ icon) by listing the local accounts that you do not wish to be converted to standard users as a comma separated list of names in the Excluded Admin Users field (As an example: Administrator, MSPAdmin, local-admin)
The global setting can be overridden specifically for an individual Company by clicking the Edit (‘pencil’ icon) next to the Company in the Companies grid, and then entering a comma separated list of names in the Excluded Admin Users field.
Once you have set the list of accounts that should be excluded from having the Remove Admin Privileges setting applied then you may proceed to set computer(s) to have the Remove Admin Privileges set to ‘on’.
To “Remove Admin Privileges” do the following:
Login to the Web Admin Portal at https://msp.autoelevate.com using your email address and AutoElevate password.
- In the left-hand Column click "Computers"
- On the computers grid select the computer(s) by clicking the square next to the computer(s) you are wanting to set to use Standard privileges.
- Click on the “Actions” menu at the top of the screen, and then
- “Set to On” Under the “Remove Admin Privileges” section.
Once set to “On”, at next Agent check-in the logged in user will be converted to a Standard user if:
- The logged in user is a configured as a local administrator on the machine
- The agent for the computer is in either Policy or Live mode
- The User is not listed as one of the “Excluded Admin Users” in either the global or company settings
Comments
0 comments
Article is closed for comments.