Require Justification on Privilege Elevation

You can use this group policy to require any user to provide a reason when they operate with elevated privileges, such as run with privilege, run as role, and new desktop.

This group policy works in conjunction with the Specify a privilege elevation validator policy. If you only set one of these policies, any affected user is prompted to provide a reason for privilege escalation.

There are two settings for this group policy:

• By default, when this policy is Disabled or Not Configured, users can run with elevated privileges as normal.

• When this policy is Enabled, the agent prompts the user with a justification dialog box, where the user can provide a reason category and a text string for the reason.

  Also, if you've configured your system to work with a ticketing system such as ServiceNow, you can use the Specify a privilege elevation validator group policy to validate the ticket number that the user enters.

  You can view the reason information that users enter in the audit trail event.

You can use this group policy with loopback mode, so that you can apply the policy based on the computer that a user logs into. For more details about loopback mode, see the Microsoft documentation, such as the following page:

https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy