Defining desktop access rights
When users log on with their normal Active Directory credentials, Windows brings up the default desktop for the user logging on. You can define desktop rights to enable users to create additional working environments—new desktops—that run using their own credentials but with the privileges of an Active Directory or built-in group.
Users who are assigned to a role with desktop rights can switch from their default desktop to a desktop with elevated privileges to perform administrative tasks. For example, if assigned to a role that has a desktop right, a user can create a new desktop and switch to it when he needs perform administrative tasks such as install new software or stop running services on the local computer account. The user can perform these tasks without having to enter the service account or Administrator password.
Users who are assigned a role with desktop rights can also select any application on the computer, right-click, and run the application using a selected role. The difference between the desktop right and an application right is that the desktop right allows the user to run any applications using the privileged account defined in the desktop right. An application right restricts access to a specific application using the privileged account explicitly defined for that application.
Desktop rights are useful for users who frequently perform tasks that require the privileges associated with the Administrator account.
- Open the Access Manager console.
- Expand Zones and the parent zone or child zones until you see the zone where you want to define a desktop right.
- Expand Authorization > Windows Right Definitions.
- Select Desktops, right-click, then click New Windows Desktop.
- On the General tab, type a name and a description for the desktop right.
For this Do this
Type the name you want to use for this desktop right.
For example, if the desktop allows a user to create a desktop using the privileges associated with a service account, you might include the security group in the name.
Type a description for this desktop right.
The description is optional. You can use it to provide a more detailed explanation of the privileges associated with the desktop.
Set the priority for this desktop right.
- Click the Run As tab.
You can browse for and select a specific group that will allow you to log on with your own credentials but with the elevated privileges of the specified group.
Click Add AD Groups or Add Built-in Groups to search for and select a previously‑defined or built-in group with the privileges you want to add to the logged in user’s account.
Select No re-authentication required to allow users to use the desktop right without any additional authentication.
Select Re-authenticate current user if you want to prevent the desktop right and its privileges from being used by anyone not authorized to do so. Selecting this option also allows you to enable multi-factor authentication for the right. For more information, see Enabling multi-factor authentication for Windows rights.
If you select the Re-authenticate current user option, users are prompted to re-enter their password to verify their identity before they are allowed to create a new desktop or switch between desktops. Forcing users to re-authenticate ensures the privileges associated with the desktop are only granted to users who have been assigned those privileges.
If you select this Re-authenticate current user option for users who are authenticated using a smart card, users must enter a personal identification number (PIN) or a password to resume working with the desktop.
- Click OK to save the desktop right.