As Microsoft's User Account Control begins to trickle onto corporate desktops, BeyondTrust is offering an alternative designed to ensure that users get privileges only when they need them.

Privilege Manager 3.0 lets companies centrally control what users can run on their desktops without using pop-up warnings like those that have been panned in Microsoft's Vista.

Those pop-ups are part of Microsoft's UAC feature, which blocks the administrative rights that enable users, or malicious programs, to install software or perform other tasks such as edit the registry.

With UAC, when users try to perform those tasks they are presented with a pop-up window asking for authorisation credentials. Critics have said the pop-ups - especially the number of them - can be confusing and annoying.

Privilege Manager works in the background controlling application access, software installations, ActiveX controls and system tasks that require elevated or administrative rights. The software was developed by DesktopStandard, which Microsoft acquired last year.

Company co-founder John Moyer, however, hung onto DesktopStandard's PolicyMaker Application Security product, and used the name BeyondTrust to start a new company and rename the product. Privilege Manager 3.0 is its first release.

"A pop-up is a work stoppage," says Keith Brown, network administrator for Gwinnett Medical Center in Atlanta. "We do not want to surrender local administrator rights into the enterprise. It is always a security issue. We had a free-for-all with people who knew they had local administrator rights and knew they could do what they wanted."

Brown says that less than 1 percent of his 7,000 associates have local administrator rights and most of those users are in IT.

"First thing we noticed when we took away local administrator rights is that our incidents of malware dropped off considerably," Brown says.

Privilege Manager is designed to let administrators manage exceptions to the rule that no one has local administrator rights. The software can increase rights when needed and reduce them went not needed, such as when an IT administrator is just answering email.

Privilege Manager, which supports Vista and 64-bit Windows platforms, is registered as an extension to group policy in Active Directory. It enables permission levels to be assigned to Windows applications and applied on the fly. Rules are stored on the server and deployed to clients via the directory when those clients come on the network.