Professional Documents
Culture Documents
• Configuring Access Director using Group Policy Group Policy tools use Administrative template files
to populate policy settings in the user interface. This allows administrators to manage registry-
based policy settings.
This download includes the Administrative templates released for Windows Server 2012 R2, in the
following languages:
• en-US English - United States
This policy setting set the presentation of the user name for the Access Director Tray icon. If you
enable this policy setting, user name can be set as Username, Full name or Domain\Username.
If you disable or do not configure this policy setting, Access Director will use existing settings.
Scope: Machine
Value: 1: User name, 2: Full name, 3: Domain\User name
Default Value: 2: Full name
Active Directory:
Contains settings to control behaviour of Active Directory settings.
Active Directory Refresh:
To specify the Active Directory refresh interval, click Enabled and then enter a value. The value
that you specify is the number of minutes to use for the Active Directory refresh interval. For
example, 60 minutes is 1 hour. Note: Setting has no effect if “Active Directory Integration” setting
is disabled or not configured.
Scope: Machine
Value: 60 (default)
Default Value: Not configured
If you enable this policy setting, renewing cached information is required within the specified
renewal interval. If cached information fails to validate within the renewal interval, Access
Director will deny assigning privileges. To specify the cache renewal interval, click Enabled and
then enter a value. The value that you specify is the number of days to use for the cache
renewal interval. Note: Setting has no effect if “Active Directory Integration” setting is disabled or
not configured.
Scope: Machine
Value: 1 day, 2 days, 3 days, 4 days, 5 days, 6 days, 1 week, 2 weeks
Default Value: Not configured
Active Directory Integration:
If you enable this this policy setting, Access Director will be able to integrate to Active Directory
for assigning privileges validation. If you enable this this policy setting, the computer must be
domain-joined.
Scope: Machine
Value: None
Default Value: Not configured
If you enable this policy setting, Access Director will do verbose logging to
%TEMP%\AccessDirector.log. If you disable or do not configure this policy setting, Access
Director will maintain standard logging.
Scope: Machine
Value: None
Default Value: Not configured
Audit Settings:
Contains settings to control behavior of Access Director Audit settings.
Audit Logging:
If you enable this policy setting the Access Director activity is logged in plain text in the audit log
placed in %TEMP%\. If you disable or do not configure this policy setting, Access Director do
not maintain an audit log.
Scope: Machine
Value: None
Default Value: Not configured
If you enable this policy setting the Access Director file activity is logged in plain text in the audit
log placed in %TEMP%\. If you disable or do not configure this policy setting, Access Director
do not maintain an audit log.
Scope: Machine
Value: None
Default Value: Not configured
Enable reason for assigning privileges prompt:
This policy setting allows you to specify whether Access Director will request ‘reason for
Assigning Privileges’ prompt as part of the assignment process. If you disable or do not
configure this setting, ‘reason for Assigning Privileges’ prompt is not active. Note: Setting has no
effect if “Audit Logging” setting is disabled or not configured.
Scope: Machine
Value: None
Default Value: Not configured
To specify the Audit refresh interval, click Enabled and then enter a value. The value that you
specify is the number of minutes to use for the Connector refresh interval. For example, 60
minutes is 1 hour.
Scope: Machine
Value: None
Default Value: Not configured
Set Audit URL:
If you enable this policy setting, Access Director will upload the audit logs to the defined URL. A
properly crafted web-service must available and you have to specify the Audit URL. If you
disable or do not configure this policy setting audit logs are not collected. Note: Setting has no
effect if “Audit Logging” setting is disabled or not configured
Scope: Machine
Value: http://<servername>/upload.php
Default Value: Not configured
Localization Settings:
Contains settings to control balloon language behavior.
If you enable this policy setting, Access Director will use to the selected ‘UI language’. If you
disable or do not configure this setting, ‘UI language’ will use Windows Display Language as
reference. Note: If you configure a language and no applicable .LNG files is not present, Access
Director ‘UI language’ will default to English.
Scope: Machine
Value: Arabic, Bulgarian, Croatian, Czech, Danish, Dutch, English (default), Estonian, Finnish,
French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Lithuanian,
Norwegian, Polish, Portuguese (brazil), Portuguese (Portugal), Romanian, Russian, Serbian (Latin),
Simplified Chinese, Slovak, Slovenian, Spanish, Swedish, Thai, Traditional Chinese (Hong Kong),
Traditional Chinese (Taiwan), Turkish, Ukrainian
Default Value: Not configured
If you enable this policy setting, you can specify the behavior for UI language is following
Windows Display Language or the defined Keyboard layout. If you disable or do not configure
this setting, ‘UI language’ will use Windows Display Language as reference.
Note: If you configure a language and no applicable .LNG files is not present, Access Director ‘UI
language’ will default to English.
Scope: Machine
Value: Windows Display Language, Keyboard layout
Default Value: Not configured
Token Elevation:
If you enable this policy setting, users will be able to right click the tray notification icon and
request elevation using a PIN code.
Scope: Machine
Value: 1
Default Value: Not configured
When token elevation is enabled, the encrypted shared key must reside in the ShareToken data
field.
Scope: Machine
Value: 1
Default Value: Not configured
Configure Access Director using the Registry:
If a registry entry must be created or modified to correctly configure the product, you can edit
the entry directly using the registry editor Regedit.exe.
Do not edit the registry unless you have no alternative. The registry editor bypasses standard
safeguards, allowing settings that can damage your system, or even require you to reinstall
Windows. If you must edit the registry, back it up first and see the registry reference.
• In the Run dialog box, type regedit, and then click OK.
• In the registry editor, navigate to the key or subkey under which you wish to add an
entry and select the name of the key or subkey by clicking on it.
• On the Edit Menu, point to New and then click the data type for the entry, such as String
Value, Binary Value, or DWORD Value.
• In the details pane, type the name of the registry entry, and then press ENTER to create
• the entry.
• To assign a value to the registry entry, right-click the entry and then click Modify. If the
entry has been defined as Binary Value, click Modify Binary Data instead.
• In the Edit Value Type Value dialog box, type an appropriate value in the Value data text
box. Type or select the value of other options, such as the base (hexadecimal or decimal) for DWORD
values, and then click OK.
The use of PIN Codes can be combined with the normal elevation process or with Active
Directory Integration, PIN Code elevation can also work as sole way of elevation.
Registry requirements:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Basic Bytes\Access Director