Requiring users to justify privilege elevation
You can assign some group policies that force your users to provide a reason when they choose to run an application with privilege. There are two group policies that you can use:
- Require justification on privilege elevation : Use this group policy to require any user to provide a reason when they operate with elevated privileges, such as run with privilege, run as role, and new desktop.
- Specify a privilege elevation validator : You can use this computer configuration group policy to validate ticket information that a user enters when she provides a ticket number along with a privilege elevation reason. You can validate ticket information using a customized PowerShell script against a ticketing system, such as ServiceNow.
You can use just one of these policies or both. With either of these policies, when a user goes to run an application with privilege, they're prompted with an additional dialog box where they can enter a ticket number, a reason category, and any comments.
The above dialog box prompts users to enter the following information:
Ticket number: If you have enabled the privilege elevation validator policy and subsequent script, you can validate the ticket number that a user enters against a ticketing system such as ServiceNow. If you haven't enabled the privilege elevation validator policy, users can enter any text string here.
- Reason: The user selects the reason category that best fits their situation. Their choices are:
- Software Installation
- Remote System Administration
- Local System Administration
- Windows Feature Management
- System Networking Change
- Maintenance (Shutdown, Reboot, Power Off)
- PowerShell or Other CLI
- Centrify Operation (Services, Zone Operations, etc.)
- Comment: The user enters any comments about their need to run with privilege. You can view these comments in the audit trail event.
For more details about these policies, see the Group Policy Guide and the group policies' explain text.