On - Allows users to elevate privileges for a selected file. Enables Require approval and Require reason. Disables Block Run As Admin.

Off - Denies users the ability to elevate privileges for a selected file. Enables Block Run As Admin, which is how users with admin credentials can still elevate privileges.

On - Denies users the ability to execute Run As Admin even if administrator credentials are available (i.e. no UAC window is presented).

Off - Allows users with administrator credentials to execute Run As Admin (i.e. UAC window pops-up asking for admin credentials).

On - Sends a request to the IT team, which must be approved before elevation is granted. Makes Require reason mandatory (i.e. must be On).

Off - Allows the user to elevate file privileges (and thus perform the action) as soon as the action is selected. For example, selecting "Run as administrator" to execute a program occurs immediately, without requiring approval. Makes Require reason optional (i.e. can be either On or Off).

On - Extends the UAC window and asks the user to enter email address, phone number and reason. Reason must comprise at least two words. This information is stored in the Auditlog.

Off - No reason is required by the user, but details of the actions performed are stored in the Auditlog.

On - Allows users to effectively become a local administrator for the number of minutes specified in Access time (minutes). Enables Require approval, Require reason and Access time (minutes).

Off - Denies users the ability to become a local administrator. Hides all other options under Admin Session.

On - Sends a request to the IT team, which must be approved before the request is granted. Makes Require reason mandatory (i.e. must be On).

Off - Allows the user to become a local administrator as soon as the request is made. Makes Require reason optional (i.e. can be either On or Off).

On - Extends the UAC window and asks the user to enter email address, phone number and reason. This information is stored in the Auditlog.

Off - No further information is required by the user, but user and computer details are stored in the Auditlog.

The maximum duration in minutes an Admin Session may last. This time must be sufficient for the user to install software or perform any other tasks that require elevation.

On - Additional email notifications are sent to the email addresses listed in Email addresses.

Off - Email notifications are not sent.

Standard email address format. Use a new line for each address.

A list of groups into which users are placed, with multiple groups on separate lines.

A list of groups into which computers are placed, with multiple groups on separate lines.

A list of organizational units into which users are placed, with multiple OUs on separate lines.

A list of organizational units into which computers are placed, with multiple OUs on separate lines.

Description

On - Use the logo file selected under Logo file.

Add the file before turning this setting on.

Off - Do not use a logo file.

The name of the organization as it will appear in the portal and in Admin By Request dialog boxes on endpoints.

Use the Browse button to open an operating system File open dialog box. Locate and select a logo file.

Add a file here before turning on the Use logo file setting.

Auto-detect - The language used is the same as that used by the operating system.

Force <Language> - The language used is the one chosen from this selection list.

Auto-detect - The skin (light or dark) depends on what is currently being used by the operating system.

Light - Uses a light skin for Admin By Request dialog boxes.

Dark - Uses a dark skin for Admin By Request dialog boxes.

Follow Operating System - The skin (light or dark) depends on what is currently being used by the operating system.

Mandatory - Field appears in dialog boxes and must be filled-in.

Optional - Field appears in dialog boxes, but does not have to be filled-in.

Hide - Field does not appear in dialog boxes.

Mandatory - Field appears in dialog boxes and must be filled-in.

Optional - Field appears in dialog boxes, but does not have to be filled-in.

Hide - Field does not appear in dialog boxes.

Description

On - Admin privileges are removed for all users except those appearing in the Excluded accounts list..

Off - Admin privileges are not removed for users configured locally as administrators.

The account name(s) to retain local admin privileges. Multiple accounts must be specified on separate lines. Domain accounts must be prefixed with domain and backslash.

On - Prevent the user from starting any file from the System32 directory with administrative privileges, such as cmd.exe or regedit.exe. Define exceptions under App Control > PRE-APPROVE.

Off - Allow user to run system files with admin privileges.

On - Prevent spawning any sub-processes of system files. Requires endpoint software version 8.3+.

Off - Do not prevent spawning of sub-processes.

On - Remove the option to use a PIN Code to unlock an admin session or unlock a blocked application. If this option is Off and admin sessions are disabled, the system tray menu item to start an admin session will be removed.

Off - Allow access to the PIN Code unlock option (unless Allow Admin Sessions is Off under Authorization > AUTHORIZATION).

On - Forcibly close any application that runs UAC-elevated at the end of the admin session. This prevents users from keeping a permanently elevated process running as administrator.

Note that long-running installations that run past the allowed admin time will also be forcibly closed. To avoid this, make sure the access time is sufficient to install software.

Off - Do not force closure of applications that run UAC-elevated.

On - Additional email notifications are sent to the email addresses listed in Email addresses.

Off - Email notifications are not sent.

Standard email address format. Use a new line for each address.

On - .Relevant details about the application are logged.

Off - No logging is performed for this application.

On - .The user must confirm elevation on the endpoint before the application can be run. This is the typical UAC window.

Off - The user does not need to confirm elevation on the endpoint before execution. Hides the Log to auditlog field.

Run As Admin application pre-approval - Pre-approve this application for Run As Admin.

Run As Admin vendor pre-approval (digital certificate) - Pre-approve all applications based on the specifiedVendor digital certificate.

Selecting this option enables the Vendor field and hides all other fields.

Run As Admin location pre-approval (all files in folder tree) - Pre-approve all applications in the specified folder, including any sub-folders.

Selecting this option enables the Directory field and hides all other fields.

Force running application elevated (legacy application) - .Pre-approve this application to run elevated regardless of any other conditions.

Use the Browse button to select a valid Vendor certificate file.

Prevent users from bypassing pre-approval by file renaming.

File must be located in read-only directory - The recommended method. File must be in a read-only location. You only need to know the name and location and you are not bound to a specific file version.

File must match digital certificate - Vendor digital certificate of a file. Recommended if you have a copy of the file.

File must match checksum - A checksum of a specific file version. If the file is updated, the checksum no longer matches and a new one must be collected.

No protection (not recommended) - Not recommended for anything except testing. The file can be located anywhere and is a file renaming vulnerability, in case a user is aware of (or can guess) the file name.

Program Files or subfolder - The Program Files folder, typically either C:\Program Files or C:\Program Files (x86).

Windows directory or subfolder - The Windows system folder, typically C:\Windows\System32.

Custom read-only location - Shows an additional field labeled Directory if selected.

A read-only location where the application to be added is stored. Can include the following environment variables:

• %PROGRAMFILES%

• %WINDIR%

• %USERPROFILE%

• %APPDATA%

If the directory entered is not on the local machine, a UNC path can be used. The endpoint software will automatically translate drive letters to UNC path.

The name of the application. Mandatory, although used for convenience only to help identify applications in the list.

Use the Browse button to open an operating system File open dialog box. Locate and select a file with one of the following extensions:

• exe

• msi

• msc

• cpl

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

The caption used for the system tray menu item. Enter the text to be used for the name or caption. Does not have to match the executable File name.

Note that any webhooks you have created appear in a selection list when you click this field. The list is for convenience only and simply "pastes" the webhook caption into the field - no other fields are populated.

The name of the executable file, including it's full path.

You can also specify a web address (i.e. URL) in this field, in which case the Run As Admin toggle should be Off for security reasons.

Text values entered here are appended to the File as parameters during execution.

On - Allows the executable file named in File to be Run As Admin (i.e. run as an administrator).

Off - Does not allow the executable file named in File to be Run As Admin. This should be the option selected if the entry in File is a web address.

On - Inserts a line above this menu item. Allows tray tool menu items to be grouped.

Off - No line is inserted.

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

On - Create an alias for each user.

Off - Do not create aliases for users.

On - Record the name of each user associated with an ABR event.

Off - Do not record user names.

On - Record email addresses associated with a user.

Off - Do not record email addresses.

On - Record phone numbers associated with a user.

Off - Do not record phone numbers.

On - Record hardware and software inventory data.

Off - Do not record inventory data.

On - Record the location of the public IP address associated with the user’s endpoint.

Off - Do not record IP addresses.

Approved email - Loads a template that advises the user (i.e. requester) that the request for access has been approved.

Denied email - Loads a template that advises the request for access has been denied without giving a reason.

Denied with reason - Loads a template that advises the request for access has been denied and provides the reason.

Administrator notify - Loads a template that advises the administrator (i.e. person who approves or denies) that a request for access is waiting for attention.

The email address to be used as the sender for the email. Can be used with custom domains. Use the Email address button to set up custom domains.

Refer to for more information on configuring an email address to be used as the sender for all user notifications.

Text that will appear in the subject line of emails.

Loads the default Email template for the option selected.

NOTE:

• Default email templates are created by Admin By Request. Contact us if you wish to customize a default email template.

• Using this button will overwrite any customization you might have done in the Template body.

Switches to Email Domain in Tenant Settings in the portal, allowing you to use a custom domain as the sender.

This allows sending email from domains other than @adminbyrequest.com.

NOTE: This is optional. But you cannot add an email sender field of e.g. "tom@mydomain.com" unless you have first set up the custom email domain "mydomain.com" via the Email Domain setting in the portal (Settings > Tenant Settings > Email Domain).

The body of the email to be sent.

Includes three views:

• Design: WYSIWYG view of content. Enter and format body text here.

• HTML: The same content in HTML format. Can also be edited if necessary and changes will be reflected in Design and Preview.

• Preview: What the recipient sees. Read only - switch to Design view to make changes.

Dynamic content tags

Tags can be used in the body, which are place holders in curly braces. These are replaced with actual request values when emails are sent.

The following tags are available:

• {UserFullName} Name of requesting user

• {UserEmail} Email address of requesting user

• {UserPhone} Phone number of requesting user

• {UserReason} Reason the requesting user gave

• {DenyReason} Admin's reason for denial (only used for denial with reason)

• {ComputerName} Name of requesting computer

• {AdminUserName} Name of administrator receiving notification (only for admin notify)

• {AppName} Name of Run As Admin application

The email address to which emails intended for your ticket system will be sent.

For example: itsupport@mycompany.com

The email address to be used as the sender for the email. Can be used with custom domains. Use the Email address button to set up custom domains.

Text that will appear in the subject line of emails.

Loads the default Email template for the option selected.

NOTE:

• Default email templates are created by Admin By Request. Contact us if you wish to customize a default email template.

• Using this button will overwrite any customization you might have done in the Template body.

Switches to Email Domain in Tenant Settings in the portal, allowing you to use a custom domain as the sender.

This allows sending email from domains other than @adminbyrequest.com.

NOTE: This is optional. But you cannot add an email sender field of e.g. "tom@mydomain.com" unless you have first set up the custom email domain "mydomain.com" via the Email Domain setting in the portal (Settings > Tenant Settings > Email Domain).

The body of the email to be sent to the ticketing system.

Includes three views:

• Design: WYSIWYG view of content. Enter and format body text here.

• HTML: The same content in HTML format. Can also be edited if necessary and changes will be reflected in Design and Preview.

• Preview: What the recipient sees. Read only - switch to Design view to make changes.

Dynamic content tags

Tags can be used in the body, which are place holders in curly braces. These are replaced with actual request values when emails are sent.

The following tags are available:

• {ID} Unique auditlog trace no

• {APIID} ID for looking up this entry through the public Auditlog API

• {Status} Requested, Approved, Denied, Started, Finished

• {Type} Session, Run As Admin

• {AppName} Name of Run As Admin application

• {UserFullName} Name of the requesting user

• {UserEmail} Email address of requesting user

• {UserPhone} Phone number of requesting user

• {UserReason} Reason the requesting user gave

• {DenyReason} Admin's reason for denial

• {ComputerName} Name of requesting computer

• {AdminUserName} Admin approving or denying request

• {ElevationList} Applications run as administrator

• {InstallList} Installed programs

• {UninstallList} Uninstalled programs

• {AuditlogURL} URL to this entry in the auditlog

• {RequestURL} URL to this entry in requests

Ticket ID

You can find a ticket by its ticket ID using the Search button in the Auditlog.

Voided text

If a line has one or more tags and all tags in the line are empty, the entire line is automatically removed.

On - Sends a notification for User requests Run As Admin approval.

Off - Does not send a notification.

On - Sends a notification for Admin approves Run As Admin request.

Off - Does not send a notification.

On - Sends a notification for Admin denies Run As Admin request.

Off - Does not send a notification.

On - Sends a notification for User starts Run As Admin.

Off - Does not send a notification.

On - Sends a notification for User finishes Run As Admin

Off - Does not send a notification.

On - Sends a notification for User requests Admin Session approval.

Off - Does not send a notification.

On - Sends a notification for Admin approves Admin Session request.

Off - Does not send a notification.

On - Sends a notification for Admin denies Admin Session request.

Off - Does not send a notification.

On - Sends a notification for User starts Admin Session.

Off - Does not send a notification.

On - Sends a notification for User finishes Admin Session

Off - Does not send a notification.