Granting permissions to individual users or groups
Password protection allows granting Kaspersky Endpoint Security access to individual Active Directory user accounts and manually added user accounts.
Active Directory user accounts
You can grant Kaspersky Endpoint Security access to individual users or groups within the Active Directory domain. For example, if exiting the application is blocked for the Everyone group, you can grant the Exit the application permission to an individual user. As a result, you can exit the application only if you are logged in as that user or as KLAdmin.
You can use account credentials to access the application only if the computer is in the domain. If the computer is not in the domain, you can use the KLAdmin account or a temporary password.
Manually added user accounts
You can create a user account that is not present in Active Directory and assign individual permissions to that user account. That is, you can create a service user account and use it instead of KLAdmin. This way, you do not need to share your KLAdmin password with other users or create new Active Directory user accounts. You can specify any user name and password. For example, you can grant the View reports permission to the service user account. As a result, if viewing reports is prohibited to the 'All' group, you can open the reports using the service user account or the KLAdmin user account.
Granting permissions to individual users or groups
How to grant permissions to individual users or groups in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select General settings → Interface.
- In the Password protection block, click the Settings button.
This opens a window with Password protection settings.
- In the account table, click Add.
- Select the type of the user account that you want to add:
- Select from the list for Active Directory user accounts.
To select a user account, click Select. Select a user or a group in Active Directory and confirm your selection.
- Custom user name and password for a manually added service user account.
To add a service user account, enter a user name and a password (for example, SecureAdmin).
You can reset a service user account password in the policy settings. The service user account password must be reset in the same way as the KLAdmin password. If editing Password protection settings is allowed (the "lock" is open) or no policy is applied on the computer, you can reset the password of the service user account in the application interface. To do so, confirm the changes of the service user account information using the KLAdmin password.
- In the Permissions list, select the check boxes next to the actions that the selected user or group will be allowed to perform without being prompted for a password.
If a check box is cleared, the users are blocked from performing the action. For example, if the check box next to the Exit the application permission is cleared, you can exit the application only if you are logged in as KLAdmin, or as an individual user who has the required permission, or if you enter a temporary password.
Password protection permissions have some important aspects to consider. Make sure that all conditions for accessing Kaspersky Endpoint Security are fulfilled.
- Save your changes.
How to grant permissions to individual users or groups in Web Console and Cloud Console
- In the main window of the Web Console, select Devices → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to General settings → Interface.
- Under Password protection, in the accounts table, click Add.
- Select the type of the user account that you want to add:
- Select from the list – Active Directory user accounts.
To select a user account, click Select user or group. Select a user or a group in Active Directory and confirm your selection.
- Custom user name and password for a manually added service user account.
To add a service user account, enter a user name and a password (for example, SecureAdmin).
You can reset a service user account password in the policy settings. The service user account password must be reset in the same way as the KLAdmin password. If editing Password protection settings is allowed (the "lock" is open) or no policy is applied on the computer, you can reset the password of the service user account in the application interface. To do so, confirm the changes of the service user account information using the KLAdmin password.
- In the Permissions list, select the check boxes next to the actions that the selected user or group will be allowed to perform without being prompted for a password.
If a check box is cleared, the users are blocked from performing the action. For example, if the check box next to the Exit the application permission is cleared, you can exit the application only if you are logged in as KLAdmin, or as an individual user who has the required permission, or if you enter a temporary password.
Password protection permissions have some important aspects to consider. Make sure that all conditions for accessing Kaspersky Endpoint Security are fulfilled.
- Save your changes.
How to grant permissions to individual users or groups in the user interface of the application
- In the main application window, click the button.
- In the application settings window, select General settings → Interface.
- In the account table, click Add.
- Select the type of the user account that you want to add:
- Select from the list for Active Directory user accounts.
To select a user account, click Select user or group. Select a user or a group in Active Directory and confirm your selection.
- Custom user name and password for a manually added service user account.
To add a service user account, enter a user name and a password (for example, SecureAdmin).
You can reset a service user account password in the policy settings. The service user account password must be reset in the same way as the KLAdmin password. If editing Password protection settings is allowed (the "lock" is open) or no policy is applied on the computer, you can reset the password of the service user account in the application interface. To do so, confirm the changes of the service user account information using the KLAdmin password.
- In the Permissions list, select the check boxes next to the actions that the selected user or group will be allowed to perform without being prompted for a password.
If a check box is cleared, the users are blocked from performing the action. For example, if the check box next to the Exit the application permission is cleared, you can exit the application only if you are logged in as KLAdmin, or as an individual user who has the required permission, or if you enter a temporary password.
Password protection permissions have some important aspects to consider. Make sure that all conditions for accessing Kaspersky Endpoint Security are fulfilled.
- Save your changes.
As a result, if access to the application is restricted for the Everyone group, users will be granted permissions to access Kaspersky Endpoint Security according to the users' individual permissions.
Page top