Give us a call at 262.299.4606 to discuss how FastTrack can help your organization or email us here

We would be happy to show you a demo. Give us a call at 262-299-4606 or drop us an email at sales@fasttracksoftware.com
FastTrack admin

Admin By Request

Admin By Request is second product developed by FastTrack Software. The idea is to remove all local admin rights from workstations and have users request administrator access under full audit.

This page gives you an idea of the product. For more information and trial download, please go to the product web site at www.adminbyrequest.com.
Download FastTrack Automation Studio

Removing local admin rights

Department of Commerce Red Cross Kpmg Booking Aspen Dental Hamilton Beach Toyota Disney Kawasaki Goodyear NOAA

Admin By Request Concept

The problem most companies are still facing is that users need to be local administrators, typically to install software or to run legacy applications. And to some extent, the local administrator rights are abused for personal reasons. To totally avoid this, you (the IT department) would have to script every piece of software any user may need - or alternatively, you would have to manually install software for all users. Both are extremely time consuming and therefore the pragmatic solution is often to let users be local administrators and hope for the best with User Account Control (UAC). Although UAC along with protective software do prevent most viruses, malware and ransomware from being installed, attacks happen anyway. Here is why. What would your users do, if they see this?

Java update

Java? Yes, I probably need that. All it takes is one user clicking "Yes". Think about that for a minute.

The user is not aware that there has to be a valid certificate from "Oracle America, Inc" for it to be the file they expected, nor can they be expected to know so. The file on the image might very well be Russian malware. This is why you need Admin By Request (ABR). When you install ABR on clients, users are no longer local administrators by default, unless you give them a "window". When a user wants to be administrator, the user has to request such a window from you first. If the user has a legitimate reason, you can approve the access, such as the need to install AutoCAD for a new employee. You do not need to remote the computer to do the actual work and you can always audit that the user actually did just that and only that.

Requesting access

The user will see an icon in the system tray, which is green, when the user is not administrator. If the user needs to be administrator, the user would have to right-click to request permission. User interfaces and email communications are automatically localized from English to German, Danish, Spanish and French. More languages will added in the future.

Request Admin rights


When the user does this, two things can happen. Under "My Account" on this web site, you decide, if you always allow administrator access without pre-approval. This is also called Audit Only and can still make sense, because the user is still under full audit. In this mode, the user now becomes administrator under audit (see further down). You can also decide that you must approve each request for administrative access. This is called Admin By Request mode, hence the product name. In this mode, the user will see this window and will have to send a request to you with a reason for this need.

Request Admin right window

Approving Access in Admin By Request Mode

If you are using Admin By Request mode, you will receive a notification email that a user has requested administrative access. When you click the link in the email on your phone or computer (or select "Pending Approvals" under "My Account"), you will see a list of pending requests, including contact information and computer data. You must then simply click the Approve or Deny button for each request. When you press either button, the user will receive an email with instructions. You can also preapprove a session by locating a computer in the inventory and set a pre-approval token.

Approving access

Administrative Session

Once the request has been accepted by you, the user can start the session - or Audit Only mode is used, in which case the session starts right away. Under "My Account", you can configure how much time the user is administrator. The user will clearly see that he or she is temporary administrator and must be careful.

Request Admin rights approved

When the timer starts, the user has the option to run applications elevated, just as a “real” administrator has. If the user needs to run an application elevated, he or she still has to select "Run as administrator" and enter own credentials.

Run TeamViewer setup as administrator

Once the user either stops the timer or the time runs out, the information will be uploaded to this website, so you can see when the window was started and stopped. You can also see which software was installed during the window and a complete list of administrator usage on any given computerm, which you can export the data to Excel, PDF file or a CSV file, in case someone outside IT needs to audit.

Legacy applications

Some legacy applications require local administrator rights, simply because they were written back in the day, when everything was open and using the same folder for application files and data was the norm. You can make a white-list of applications that will elevate automatically. Refer to the policies page for more information.

Tampering protection

The administrators group will be snapshotted before the session start and restored after session end. If the user tries to add other users or groups to the administrators group, these will simply be removed at the end of the session. If the user tried to uninstall Admin By Request during a session, Windows Installer will show an error message saying that Admin By Request cannot be uninstalled during an active session.

Offline Computers

A user might need to be administrator offline (meaning without internet connection). In this case, the Admin By Request mode window will always appear - even in Audit Only mode - simply because it's impossible to know, what the current configuration is in your portal account. Once the user is online, the request will be send. If at this time, it is detected that Audit Only mode is used, the user will be auto-approved the same way as if you manually clicked "Approve". You can however force Audit Only mode using OfflineMode and AutoApprove policies.

PIN code

If the need to be administrator is urgent and the user cannot get online for what-ever reason, the user can click the PIN code link on the Admin By Request form. The user has to call you to get this PIN code, which you find in the computer details in the inventory. It's a daily PIN code that is unique for this computer on the day. Once the correct PIN code is entered, the window starts. The PIN code is hashed from the computer name, your license ID and the date. Therefore, the same PIN code can be generated by the client and the portal without connection.

Request Admin rights PIN code




Questions?

Please review the video below and check our FAQ page. If this does not answer your question, please feel free to contact us using the top menu. If you need to purchase a license, please contact us and use the Quote options.

Outlook Signature Generation

Outlook Signatures

Build mass-deployable Outlook signatures using a Word-like designer. More
Graphical Logon Scripts

Codeless Logon Scripts

Build graphical logon scripts with your own logo by pure point and click. More
IP Printing

Kill your print servers

Print to IP printers directly. More
Software Deploy

Software Deploy and Inventory

Push software without a management server and inventory to the cloud. More
Zero Touch Thin PC

Tired of Desktop Authority?

Same features - less complexity. More
FastTrack Automation Studio Video
Download FastTrack Automation Studio
Laptop Backups

Lockdown Local Admins

Revoke local admins rights and have users request ad-hoc access under full audit. More


Rating: 5 out of 5

"Use this as a replacement for VBScript and PowerShell"

"It's easy to include attractive GUI elements in FastTrack scripts, beyond the basic dialog boxes and text input that VBScript offers ... Another powerful feature is the ability to distribute scripts as Windows Installer (.msi) or standard .exe files. Although interesting in its own right, this ability results in a much more intriguing capability: to repackage -- or wrap -- software installers as .msi files without using snapshots. If you've ever created an .msi installer file from before-and-after system snapshots, for use with a software distribution system such as Group Policy or System Center Configuration Manager (SCCM), then you know how hit-and-miss the results can be."

Read full review


Rating: 8 out of 10

"Faster than the rest"

"We found the FastTrack syntax to be more transparent and easier to learn than Microsoft's PowerShell – the editor in particular provided good support in this regard. the Script Editor offers a large number of options from the command set through to simple output of graphical elements, which cannot be achieved at all with PowerShell or other solutions or only with a significantly greater level of effort."

"Anyone wanting to tackle the many hurdles in everyday admin and especially anyone for whom logon scripts and client automation is a priority will benefit from the variety of functions offered by FastTrack."

Review in English      Review in German
Department of Commerce Red Cross Kpmg Booking Aspen Dental Hamilton Beach Toyota Disney Kawasaki Goodyear NOAA

Kill your local admin accounts! Let users request access by request under full audit. Check this page for more info.