Just a few comments here. Privilege Manager solves the problem of running with least privilege at a deeper level than just file and registry permissions. You can do things like grant user rights, allow ActiveX installations, run core OS tasks (e.g. install a printer) that would normally require elevated rights. So, I would look at it as a more holistic approach for getting to least privilege use. Frankly, if anyone is allowing their users to run as administrator on their boxes, they are asking for a lot of pain. That being said, everyone's business requirements are different and environmental complexity varies, but if your business requires you to get to least privilege, then products like Privilege Manager can make that easier and frankly, more reliable than trying to poke around the file system and registry and hoping you find everything. Also, keep in mind that doing those file system or registry changes means that you are persisting access to those locations to any process running on the system. As an alternative, products that elevate on a per-process basis prevent this opening completely. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: Wednesday, April 16, 2008 2:00 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: BeyondTrust Privilege Manager Thanks for the feedback Michael. I know I can create security templates for the problem applications and apply them with GP but I really hate changing default file/registry permissions. That is really just side-stepping the problem instead of solving it. Ultimately folks need to understand how to properly design an application to run as a normal user, but that is easier said than done when dealing with tons of different vendors. Jamie Nelson | Systems Engineer | Systems Support, Information Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 | <http://www.integrisok.com/> http://www.integrisok.com From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Pietrzak Sent: Wednesday, April 16, 2008 12:57 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: BeyondTrust Privilege Manager I looked at it a while back and for the price they were asking for, it didn't seem well worth it. I guess it comes down to need. If you have funky off the wall applications that need to be run as administrator to run, update etc, then it's the perfect tool for elevating privileges. But it's a real niche product and sometimes you can accomplish the same thing by messing with the ACL's for the program's file group and add the domain users group to full control on the entire folder group. That's how we worked around having to give admin access to all our users. But the company seems good and tech support was very helpful when I was testing it out. Michael From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: Wednesday, April 16, 2008 10:53 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] BeyondTrust Privilege Manager Is anyone out there currently using BeyondTrustR Privilege Manager in their Group Policy environment? If so, what are your thoughts about it? What I've seen and heard looks pretty cool, but I am interested in some real-world feedback on how effective it really is. Any help is greatly appreciated. Regards, Jamie Nelson | Systems Engineer | Systems Support, Information Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 | <http://www.integrisok.com/> http://www.integrisok.com _____ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). _____ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply).