End User Communication
It’s good practice to communicate with end users about the rollout and implementation of PEM. You'll want to address:
- The change in behaviour required to elevate a process
- How users request elevations not covered by a PEM policy
- The planned date of change
THE CHANGE IN BEHAVIOUR REQUIRED TO ELEVATE PROCESSES
Users will need to follow a new pattern to run processes as administrator. It’s important to communicate this new interaction to end users before an environment has been hardened with PEM. An email or meeting to demonstrate the appropriate usage of PEM can help users welcome the change.
To run a program as administrator, users will need to right-click the application and select “Run as Administrator with PEM”.
Based on the policy set or if an end user is part of a group in Learning Mode, they will either be prompted to enter their credentials or to contact the sysadmin for assistance.
If a user is allowed to proceed, they will see a UAC prompt asking for administrator credentials. Instead of fetching a set of administrator credentials, a user will then enter their own credentials. The process will proceed running as administrator.
If a user is not allowed to elevate the process , the user will be advised to contact their System Administrator for assistance.
HOW USERS REQUEST ELEVATIONS NOT COVERED BY A PEM POLICY
If a user is not allowed to elevate a process, they will see a dialog box advising them to contact their system administrator. The dialog box that is presented to a user contains a configurable contact field. You may use this field to list an email address, phone number or extension, or statement such as "Open a service ticket".
Be sure to communicate the appropriate method in your rollout communication.
THE PLANNED DATE OF CHANGE
Don't forget to to tell end users when they are to change their behaviour for elevating processes and how to request new elevations after rollout.