Troubleshooting Process Elevation in Privilege Manager

Oct. 12th 2016

Here are some tips when trying to discover why the process elevation feature is not working as expected.

  • Ensure that the rule has been created, has been saved and applied to a Group Policy Object (GPO). Ensure this GPO has been linked to either an OU or the domain.
  • Ensure that the Privilege Authority Client is installed on the client machine by looking in the Add/Remove Programs applet. If WMI is available, you can query the machine by dropping into a command prompt and typing “wmic /node: <fqdn of machine> product get name,version “.  If you need PowerShell, there is a great script located here.
  • From the command prompt, run ‘GPUpdate /force’ to make sure that the Group Policy has been refreshed.
  • Run ‘GPResult’ (or ‘GPResult /R’ on Windows7 or 2008), and check that the GPO the rule belongs to has been applied to that machine.  You can also use the Resultant Set of Policy (RSoP) feature or Group Policy Modeling on the Group Policy Console.  For more info, see here.
  • Check in the registry for the rule. Rules are copied to the key –

HKEY_LOCAL_MACHINE\Software\ScriptLogic Corporation\Privilege Authority\CSE\CSEHost\Host. Under this key you will see a key which is the SID for each user (i.e. S-1-5-21-15….) and then a unique GUID for each rule underneath this. To match the SID to a user account, navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and look at the data in the ProfileImagePath value or use the script provided below.

You can also create a VB Script using the following script:

Set oShell = CreateObject( “WScript.Shell” )

User=oShell.ExpandEnvironmentStrings(“%UserName%”)

UserDomain=oShell.ExpandEnvironmentStrings(“%UserDomain%”)

strComputer = “.”

Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)

Set objAccount = objWMIService.Get(“Win32_UserAccount.Name='” & User & “‘,Domain='” & UserDomain & “‘”)

DisplayString = UserDomain & “\” & User & ” = ” & objAccount.SID

Wscript.Echo DisplayString

Wscript.Echo objAccount.SID

  • If the rule is present in the registry, enable logging to troubleshoot further.

 To Enable Logging

 

Under the registry key HKLM\Software\ScriptLogic Corporation\Privilege Authority\ change ‘LogLevel’ from the default value of 0 to 3 and restart the ScriptLogic Privilege Authority Host Service.  The log files can be found in the folder specified in the ‘InstallPath’ value under this same key. The default log location is C:\ProgramData\Privilege Authority\Logs.

  • Run the application or target process that you have created your rule for. Then go to the log file folder (by default – C:\ProgramData\Privilege Authority\Logs) and open the CSEHostEngine.log file. Every process that is being run by the user will be displayed.  To the right of each process, you will see a “MATCH” or “NO MATCH” status indicating whether or not the process matched a given Privilege Authority rule. Then, do a search for the process that you are trying to elevate and see if there is a match or not.
Posted by LeadThem Consulting | in Uncategorized | No Comments »

Troubleshooting Desktop Authority

Oct. 10th 2016

As with any computer program, especially a management application such as Desktop Authority (DA), there will be times when you’ll be required to troubleshoot issues that may be encountered while using the product.  This is a brief overview of the log files produced by DA to assist with troubleshooting.

There are three categories of log files we can view when troubleshooting issues with Desktop Authority.

  • Manager (console) log files
  • User Based Management client log files
  • Computer Based Management log files

Let’s look at all three categories in more detail.

Manager Log files

These log files can be found on the Manager Console machine and depending on the OS, are found in different locations.

— W2k3 = %ALLUSERSPROFILE%\Application Data\ScriptLogic\DAConsole\

— W2k8 & W2k12 = %PROGRAM DATA%\ScriptLogic\DAConsole\

  • The DAConsolelog records general activity encountered during the launching of the manager console.
  • The DAConsole_errors.log records any errors or exceptions encountered when launching or running the manager console.
  • The SMWinServicelog – records all activity related to the Desktop Authority Manager Service.
  • The SMWinService_errors.log – records any errors or exceptions encountered when launching or running the Desktop Authority Manager Service.

User Based Management Client Log files

These log files can be found on the client machine under %TEMP%\Desktop Authority.

  • The SLTrace.htm file is used primarily to troubleshoot User Based Management settings executed during the logon event.
  • The SLTraceEnforce.htm file is used to troubleshoot User Based Management settings executed during the refresh event.
  • The SLTraceLogoff.htm file is used to troubleshoot User Based Management settings executed during the logoff event.
  • The SLBoostlog file is used to record activity encountered when attempting to provision the target machine.
  • The SLInstallog file is used to record activity encountered when attempting to provision the target machine with the DACIientlnstall.msi.
  • The SLAgentlog ffle is used to record details of activity recorded in the trace files, but mainly pertaining to the Run As Admin feature.

Computer Based Management Client Log files

These files are located on the client machine in %WIN DIR%\Temp\Desktop Authority.

ComputerManagementTrace.htm file is used to record the activity for all computer based management settings on a daily basis.

The SLTraceUSLoc.htm file is used to record the locator activity.

 

Hopefully these files, in addition to regular windows event logs and other systems can help you to quickly pinpoint and resolve any issue you encounter when using the product.  Good luck and happy computing!

Posted by LeadThem Consulting | in Authentication Services | No Comments »