The Restrict Local Administrator Tools (RLAT) policy is a very powerful policy in preventing end-users and malicious scripts from making changes to your remote desktops but sometimes you need to allow these tools for a specific user or for a time period. This document will help you understand how the monitor works and how to properly manage the policy.
The main slider switch turns the policy on or off for all workstation computers at the Location. When enabled, all eight subcategories are checked and therefore, all eight restrictions will be applied to the remotes. Tailor your restrictions so they're appropriate to the environment. If after applying your selection you find a particular subcategory is unwanted, say the environment has need to access the Control Panel which you've locked down, simply uncheck the box for 'Control Panel', press the green 'Save' button on the bottom right and those policies will be removed from the Location remotes and access to Control Panel restored to your users.
The checkbox to Exempt the Local Administrator and the Domain Administrator from this policy is described below in Exemptions.
As soon as this policy is deployed to a Location, expect six of the restriction subcategories will immediately be active:
- Restrict Registry Editor
- Restrict Win+R Run
- Restrict Command Prompt
- Restrict Management Console (MMC)
- Restrict Task Manager
- Restrict Control Panel
The other two polices will not be active until the the current user signs off. This is a Microsoft requirement but Third Wall has found it can be circumvented by restarting the Windows Explorer process. Doing one of these two actions, or simply rebooting the computer will activate these two policies.
- Restrict PowerShell Prompt
- Restrict Run As Admin
When the remote gets the command to apply an exemption or to run an UNDO, the same pattern will be seen. Six subcategories will be instantly inactive and access to those tools restored. The other two will continue to be active and unavailable to the current user until the computer restarts its Windows Explorer process, the current user signs off or the machine is restarted.
The topmost option allows you to automatically provide an exemption for two and only two user accounts. The built-in local administrator account and the built-in domain administrator account. Third Wall uses well-known SIDs, as described by Microsoft, to determine these accounts. Membership to an Administrator group will not be considered, the SID is all that matters. These exemptions abide by the Policy Behaviors described above.
The very first time the Local or Domain Administrator signs on to an RLAT policed computer, they will find all subcategories blocked. They will need to wait for the very next RLAT monitor to run (it runs every 300 seconds). When it executes, six of the eight subcategories will be immediately available but PowerShell and Run As Admin will need an additional step before they can be used: Reboot the computer, sign out and back in or restart the Windows Explorer process. Once done, all eight subcategories will be excepted and full access granted.
The reason for this is Third Wall applies the block policy to the Computer object and exemptions to the User object. Because the user object exemptions reside in the user registry, Third Wall can not apply them until the account signs on and the user registry loaded. This setup procedure for exempting the Local and Domain Administrators needs to be done only once on a computer. All subsequent sign-ins with these accounts will immediately enjoy full access to the Administrator Tools.
The quickest way to sign in with the Local or Domain Administrator account and have all eight subcategories exempted is:
- Sign on to the computer as the Local or Domain Administrator account.
- Use the Control Center to manually execute the TW - Disable Local Admin Tools policy on the remote computer.
- Use the Tray Icon on the remote computer to 'Send Status'
- Make sure the monitor has applied the exception to your user registry by running 'Regedit'
- Restart the Windows Explorer process
Just as with exemptions, running a full undo of the RLAT policy will result in the immediate restoration of six subcategories with the other two requiring the additional step.
You'll also notice the TW - Disable Local Admin Tools monitors continues to run on the Location for the next 20 days. This is to ensure all modifications made by Third Wall are removed and user registry keys are handled.