Creating a desktop right

In the preceding section, you saw how to elevate privileges by creating an application right for a specific application. To grant administrative access to more than a single application at a time, you can allow users to open a desktop that has administrative privileges.

If you have completed the exercises in the previous sections, you are ready to create your first desktop right. If you have not completed all of the exercises to this point, you might not be able to perform the following exercise successfully.

In the next exercise, you will create a desktop access right, create a new role, assign the desktop right to the new role, and assign the role to Eval Group. At the end of this exercise, you will use the desktop right to modify a restricted folder. The steps in this exercise are similar to the steps that you performed in the preceding exercise to create an application right.

  1. Log on with your administrator account and open Access Manager.
  2. Create the new desktop right.

    • Select Windows Right Definitions > Desktops, right-click, then select New Windows Desktop.

    • Type DesktopRight as the name of the new desktop right on the General tab.

    • Click the Run As tab, then click Add Built-in Groups.

    • Select the Administrators group, then click OK.

    • Select Re-authenticate current user to require users to authenticate their identity when they use a role with this right, then click OK.

    • Select Require multi-factor authentication If you would like to enable multi-factor authentication for the right.

    Before you enable multi-factor authentication, you should be aware that multi-factor authentication for Centrify-managed Windows computers relies on the infrastructure provided by Privileged Access Service. For more information on preparing to use multi-factor authentication, see the Multi-factor Authentication Quick Start Guide.

  3. Create a new role definition.

    • Select Role Definitions, right-click, then select Add Role.

    • Type DesktopAdmin as the name of the new role on the General tab.

    • Click OK.

  4. Add the desktop right to the new role.

    • Select Role Definitions, right-click the DesktopAdmin role, and select Add Right.

    • Select DesktopRight and click OK.

  5. Assign the role to a group.

    • Select Role Assignments, right-click, then select Assign Role.

    • Select DesktopAdmin from the list and click OK to display Assign Role.

    • Click Add AD Account.

    • Change the Find filter from User to Group.

    • Search for and select the group you created for the evaluation (for example, Eval Group), then click OK.

    • Verify that the account is included in the Accounts list in the Assign Roles dialog box, then click OK.

    • Open the Privilege Elevation Service Settings (from the Agent Configuration shortcut > Centrify Privilege Elevation Service > Settings), click the Troubleshooting tab, then click Refresh to get the latest authorization information.

  1. Log off as the administrator and log on as amy.adams.
  2. Open Windows Explorer and go to the C:\Windows folder.
  3. Try to create a new folder in this location.

    From the default desktop for this account, the user does not have the necessary privileges to create a new folder. The only way she can create a new folder is by using administrator credentials.

  4. Click the carat in the system tray notification area to display hidden icons, then click the Centrify icon to display the applet options.

  5. Select New Desktop.

  6. Select the DesktopAdmin role, then click OK.

  7. Type the password for the logon account, then click OK.

    Notice that your new role is displayed when you left click on the Centrify icon in your task bar.

  8. Try to create a new folder in the C:\Windows directory.

    Now you can create a new folder because the desktop that you are using has all of the rights associated with the Administrators group.

Note:   On Windows 10 and Windows Server 2016 systems, task bar menus are not available in an Elevated Desktop.

In this exercise, you created a role with the right to create a desktop with administrator privileges. You found that opening a new desktop with that role allowed you to perform administrative functions using your own credentials.