Registry Settings - pseymour/MakeMeAdmin GitHub Wiki
The following settings can be configured in the registry to control the behavior of Make Me Admin. Settings should be stored in the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Sinclair Community College\Make Me Admin
To enforce settings, you should use the Group Policy templates, which are located in the installation directory. However, policy settings can be manually set in the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Sinclair Community College\Make Me Admin
| Setting Name | Default Value | Format | Explanation |
|---|---|---|---|
| Allowed Entities | empty | REG_MULTI_SZ |
List of SIDs or names2 for users or groups that are allowed to obtain administrator rights on the local machine. |
| Denied Entities | empty | REG_MULTI_SZ |
List of SIDs or names2 for users or groups that are not allowed to obtain administrator rights on the local machine. Denials take precedence over allowed entities. |
| Automatic Add Allowed | empty | REG_MULTI_SZ |
List of SIDs or names2 for users or groups that are automatically added to the Administrators group upon logon. Automatically added users are not subject to a timeout. |
| Automatic Add Denied | empty | REG_MULTI_SZ |
List of SIDs or names2 for users or groups that are never allowed to be added automatically to the Administrators group upon logon. Denials take precedence over allowed entities. |
| Remote Allowed Entities | empty | REG_MULTI_SZ |
List of SIDs or names2 for users or groups that are allowed to obtain administrator rights from a remote computer. |
| Remote Denied Entities | empty | REG_MULTI_SZ |
List of SIDs or names2 for users or groups that are not allowed to obtain administrator rights from a remote computer. Denials take precedence over allowed entities. |
| syslog servers | empty | REG_MULTI_SZ |
See the Syslog Configuration page for a detailed explanation. |
| Admin Rights Timeout | 10 | REG_DWORD |
The default number of minutes that the user will be added to the Administrators group. |
| Timeout Overrides | empty |
REG_SZ1
|
Specifies different timeout values for users or groups. For example, you can allow your help desk 60 minutes while allowing everyone else 15 minutes. The highest timeout value that applies to a given user wins. |
| Renewals Allowed | 0 | REG_DWORD |
Specifies the number of times the user is allowed to renew their administrator rights. |
| Remove Admin Rights On Logout | false (0) | REG_DWORD |
Specifies whether to remove administrator rights if a user logs off of their Windows session. |
| Log Off After Expiration | 0 | REG_DWORD |
Specifies the duration, in seconds, after rights expiration before the user is logged off. A value of zero (0) will disable this functionality. |
| Log Off Message | "Your administrator privileges have expired. You will be logged off." | REG_MULTI_SZ |
The message displayed to the user before they are logged off. |
| Override Removal By Outside Process | false (0) | REG_DWORD |
Specifies whether to re-add a user to the Administrators group, if they are removed by another process, e.g., a Group Policy refresh. |
| Require Authentication For Privileges | false (0) | REG_DWORD |
Specifies whether the user must enter credentials before administrator rights are granted. |
| Allow Remote Requests | false (0) | REG_DWORD |
Specifies whether to allow requests for administrator rights from remote computers. |
| End Remote Sessions Upon Expiration | true (1) | REG_DWORD |
Specifies whether remote sessions are terminated when the user’s administrator rights expire. |
| Close Application Upon Expiration | true (1) | REG_DWORD |
Specifies whether the user application exits when the user's rights expire. |
| Prompt For Reason | None (0) 3 | REG_DWORD |
Specifies whether to prompt a user for the reason they are requesting administrator rights. |
| Allow Free-Form Reason | true (1) | REG_DWORD |
Specifies whether to allow the user to enter a free-form reason for administrator rights. |
| Canned Reasons | empty | REG_MULTI_SZ |
One or more prepared reasons for administrator rights, provided to the user in a drop-down menu. |
| Maximum Reason Length | 333 | REG_DWORD |
The maximum length of a user-provided free-form reason for administrator rights. |
| Log Elevated Processes | Never (0) 4 | REG_DWORD |
When to log processes that run with elevated privileges. |
| TCP Service Port | REG_DWORD |
1 : Create a separate REG_SZ value for each user or group. The name of the registry value will be the SID or name of the user or group, and the value will be the desired timeout, in minutes.
2 : Names of users or groups should be in the format DOMAIN\Name. User principal names (e.g., user@domain.com) will not work.
NOTE: If you are using local groups, DOMAIN should be either a single dot (.), the name of the computer (not recommended), or %COMPUTERNAME%.
NOTE: If you are going to use a name, the group needs to be either local (so its name can be resolved always) or the device needs an Active Directory connection. If the device will be disconnected sometimes, use the group's SID, which will always be available, even if the device is disconnected from the network.
3 : Possible values are None (0), Optional (1), and Required (2).
4 : Possible values are Never (0), OnlyWhenAdmin (1), and Always (2).