Specify a Privilege Elevation Validator

You can use this computer configuration group policy to validate ticket information that a user enters when she provides a ticket number along with a privilege elevation reason. You can validate ticket information using a customized PowerShell script against a ticketing system, such as ServiceNow.

If you enable this policy, here are some important things to know:

  • Delinea provides a sample script that you can use as a starting point for your own script. At the minimum, you need to enter your ServiceNow URL for the $url parameter.

  • You can get the sample script from github: in the

    centrify-agent-windows repo, go to Samples > ITSM validation > servicenow.

  • If the ticket ID is not validated successfully, the user's request for elevated privilege is rejected.

  • The custom PowerShell script must be available and accessible on each Windows computer where

    the validation occurs. If you're not running the PowerShell script on a local computer, be

    sure to allow remote PowerShell access for the script.

  • This group policy works in conjunction with the Require justification on privilege elevation policy. If you only set one of these policies, any affected user is

    prompted to provide a reason for privilege escalation.

  • If the script cannot validate the ticket entry within the specified timeout duration, then the validation fails. By default, the timeout value is 2 minutes.

Please consult the group policy explain text for more details.

There are two settings for this group policy:

  • By default, when this policy is Disabled or Not Configured, users can run with elevated

    privileges as normal.

  • When this policy is Enabled, you specify the PowerShell script filename and users

    entries are validated against the third-party ticketing system before granting privileged access.

You can view the reason information that users enter in the audit trail event.