Can I allow non-administrators to manage my EventSentry configuration?

Article ID: 262
Category: Configuration
Applies to: 3.0
Updated: 2023-01-23


The preferred method for managing agent configurations is through the collector, which can automatically deploy the EventSentry configuration as well as agent updates. See "EventSentry Collector" below for more details. If you are not using the collector then follow the instructions below.

Creating a group and configuring local permissions:

Create an Active Directory security group, which we will call EventSentryAdmins in this example, and then add the users that will be managing EventSentry to that group. Then configure the EventSentry registry key to have Full Access permissions granted to the EventSentryAdmins group:

or (v4.2 and earlier)

Also configure the installation directory to have Full Access permissions granted to the EventSentryAdmins group:

C:\Program Files\EventSentry
or (v4.2 and earlier)
C:\Program Files (x86)\EventSentry

You must also share ProgramUpdate folder on each remote computer, and name the share ES$:

C:\Program Files\EventSentry\RemoteUpdate
or (v4.2 and earlier)
C:\Program Files (x86)\EventSentry\RemoteUpdate

and you must also grant the EventSentryAdmins group Write access to the ES$ share settings of your remote computers.

Non-Administrator users can now manage EventSentry and push configuration changes to the remote computers without being an administrator of the remote computers or the management console computer.

NOTE: Non-Administrators are only able to push the configuration, other tasks like checking the agent (service) status and changing or upgrading the agent will not work and likely result in an Access Denied error.

EventSentry Collector
The collector component can be used to automatically deploy the current configuration as well as any agent patches. This is enabled by default, see the documentation for more details.

To set up access for deploying or upgrading agents:
You can use a scheduled task in Windows Task Scheduler for the Remote Update Utility and configure the scheduled task to run under an account that has administrative privileges on your remote computers. This allows the upgrades or deployments to run even if the currently-logged-on user does not have administrator privileges on the remote computers.