User Privilege Rules

For any rule in the User Privileges node, you can select the User Privilege Policies to be applied to files, folders, signatures, groups, and Windows Components when the rule is matched. You can configure self-elevation to allow a user to run an item with elevated user privileges. You can also use system controls to restrict the ability of users to uninstall or modify selected applications, to manage specified services, or to clear event logs.

Select the User Privileges node for the rule you wish to configure. Four tabs are displayed in the work area: Applications, Components, Self-Elevation and System Controls.

In this section:

Applications

To add a file, folder, signature, or group to the Applications tab, click Add Item in the Privilege Management ribbon. The item is listed in the tab under the columns Item, Policy, and Description. To change the policy applied to the file, folder, or signature, double-click the item to access the edit dialog box. Select the policy to apply from the Policy drop-down list.

For more information on adding items, see Rule Items.

Components

Because Management Console snap-ins and Control Panel Applets are not executables, they cannot be elevated using a single executable. Instead, they must be elevated using command line matching. However, the Components section provides shortcuts to configuring these items. Each shortcut is equivalent to an Add File UPM policy with specified arguments.

Command line arguments and spawning mechanisms will vary depending on the operating system your individual users are using.

Control Panel components and Network Adapter features and functions are typically controlled by explorer.exe. Elevating explorer.exe to run in the context of a Local Administrator is not recommended as this can cause security issues. Windows components can be elevated or restricted without changing any rights associated with explorer.exe.

Use the filter in the Select Components dialog to filter the supported components by operating system.

  1. Expand the applicable Group rule in the navigation pane and select the User Privileges node.
  2. Select the Components tab in the work area.

  3. In the Privileges Management ribbon, select Add Item > Add Component.

    The Select Components dialog displays.

  4. Select the components you want the user to run as an administrator, for example, Add and Remove Programs\Programs and Features.

  5. Click OK.

    The component is now listed in the Components tab.

  6. Do one of the following:
    • To elevate the privileges for the selected component, select Builtin Elevate from the drop-down in the User Rights Policy column.
    • To restrict the privileges for the selected component, select Builtin Restrict from the drop-down in the User Rights Policy column.
  7. Save the configuration.

UAC Replacement

UAC Replacement was introduced to Application Control release 2020.2 and complements the existing Self-Elevation functionality within Application Control. It detects whether a selected application will display the UAC prompt, and if it does, it allows administrators to determine the permitted access.
For more information, see UAC Replacement.

Self-Elevation

Self-Elevation can be applied to signatures, files and folders items that would usually require administrative privileges to run and function. Self-Elevation provides an option from the Windows Explorer context menu to run an item with elevated rights. When a user attempts to elevate a specified item, a prompt can be configured to request that the user enters a reason for the elevation before it is applied.

For more information, see Self-Elevation.

System Controls

System Controls are used to allow or prevent named services being stopped, event logs being cleared and specific applications being uninstalled or modified.

For more information, see System Controls.

Related topics

User Privilege Management

Rule Types

Rule Items

Allowed Items

Denied Items

Trusted Vendors

Browser Control