To view or edit the General Rules of a Workstyle, select Windows > Workstyles > 'Workstyle Name' > General Rules from the policy tree.
Collect User Information
This rule, when enabled, raises an audit event each time a user logs onto the client machine. The audit event collects the following information, which is reported through the Reporting pack:
- Logon Time: The date and time the user logged on.
- Is Administrator: The client checks whether the user account has been granted local administrator rights either directly or through group membership.
- Session Type: The type of logon session, for example, console, RDP, or ICA.
- Session Locale: The regional settings of the user session/profile.
- Logon Client Session Hostname: The hostname of the client the user is logging on from. This is either the local computer (for Console sessions) or the remote device name (for remote sessions).
- Logon Client Session IP Address: The IP address of the client the user is logging on from. This is either the local computer (for console sessions) or the remote device name (for remote sessions).
For more information on user information reporting, please see the BeyondTrust Privilege Management Reporting guides.
Collect Host Information
This rule, when enabled, raises an audit event on computer start-up or when the Privilege Management for Windows service is started. The audit event collects the following information, which is reported through the Reporting pack:
- Instance ID: A unique reference identifying a specific service start event.
- OS Version: The name and version of the operating system, including service pack.
- Chassis Type: The type of chassis of the client, for example, workstation, mobile, server, or VM.
- Language: The default system language.
- Location: The current region and time zone of the device.
- Client Version: The version of the Privilege Management for Windows.
- Client Settings: The type of installation and current settings of the Privilege Management for Windows.
- System Uptime: Time since the computer booted.
- Unexpected Service Start: Only added if the service has unexpectedly started (that is, a previous start was not proceeded by a service stop).
An additional event is raised if the computer shuts down, or if the Privilege Management for Windows service is stopped:
- Instance ID: A unique reference identifying the last service start event.
- Computer Shutdown: Value identifying whether the service stopped as part of a computer shutdown event.
This option is only available in policies set under the Computer Configuration Group policy.
For more information on computer information reporting, please see the BeyondTrust Privilege Management Reporting guides.
Prohibit Privileged Account Management
This rule, when enabled, blocks users from modifying local privileged group memberships. This prevents real administrators, or applications which have been granted administrative rights through Privilege Management for Windows, from adding and/or removing and/or modifying a privileged account.
The list of local privileged groups that are prohibited from modification when this rule is enabled is:
- Built-in administrators
- Power users
- Account operators
- Server operators
- Printer operators
- Backup operators
- RAS servers group
- Network configuration operators
This rule provides three options:
- Not Configured: This Workstyle is ignored.
- Enabled: The user cannot add, remove, or modify user accounts in local privileged groups.
- Disabled: Default behavior based on the users rights or those of the application.
Enable Windows Remote Management Connections
This rule, when enabled, authorizes standard users who match the Workstyle to connect to a computer remotely using WinRM, which would normally require local administrator rights. This general rule supports remote PowerShell command management, and must be enabled in order to allow a standard user to execute PowerShell scripts and/or commands.
To allow remote network connections, you may be required to enable the Windows Group Policy setting access this computer from the network.