Jump to content

Search the Community

Showing results for tags 'password reset'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Essentials
    • Announcements
  • Passwordstate 8.x
    • General Support
    • Feature Requests
    • Feature Requests - Completed
    • Known Issues
    • Installing Passwordstate
  • Knowledge Base
    • General FAQs
    • Password Resets
    • Remote Session Launcher
    • Mobile Client
    • Passwordstate API
    • Browser Extensions
    • Password Reset Portal
  • Passwordstate 7.x
    • General Support
    • Known Issues

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Google Plus Account


Location


Interests


Biography


Location


Interests


Occupation

Found 23 results

  1. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Ensure you select the correct Privileged Account and the Reset SQL Password reset script. Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for SQL Account validation script is selected
  2. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Three are three options on this page to configure: Confirm the Reset Linux Password reset script is selected Determine whether or not to use a Privileged Account and select the appropriate option. If you do not use a Privileged Account, Passwordstate will connect to the host using the account on the Password Details tab (which in this example is marlee), and perform the reset. Otherwise it will connect to the host with the Privileged Account username and password, and then perform the reset for the user account (marlee) Confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for Linux Account validation script is selected
  3. This forum post will describe how to set up a Password Record to automatically reset a Local Windows Admin account on a remote server that is in a Workgroup, and not joined to your domain. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password in Passwordstate and on the Host when that date is reached. Please note if you do not have functioning DNS to your Workgroup server, you may need to add it into the system as an IP Address instead. Please see this forum post on how to configure this: https://www.clickstudios.com.au/community/index.php?/topic/2127-adding-in-a-host-that-does-not-have-functioning-dns/ Screen 2: Ensure the "Reset Windows Password" script is selected under the Reset Options tab, and in this case you do not need to select a privileged Account. Instead when a password reset process is executed, it will connect to the machine using it's own credentials, and it will then perform the reset for itself. There are a couple of prerequisites to allow this to happen, which is mentioned at the bottom of this post: Screen 3: Ensure the "Validate Password for Windows Account" script is selected under the Heartbeat Options tab: Prerequisites for WorkGroup machines to allow for password resets and heartbeats: On your Passwordstate webserver, execute the following Powershell command to trust all hosts: Set-Item WSMAN:\localhost\Client\TrustedHosts -value * (It's possible to specify your workgroup server instead of the wildcard * if you prefer) Ensure you have enabled Powershell Remoting on the Workgroup machine. To do this open Powershell "As Administrator" and execute enable psremoting -force On the same Workgourp machine, you must enable remote connections to the server for your Administrator account. To do this, open Powershell "As Administrator" and execute the command below, which adds a registry key to your system. This is a Microsoft requirement and you can read more about it in this link: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_troubleshooting?view=powershell-5.1 New-ItemProperty -Name LocalAccountTokenFilterPolicy -Path `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System` -PropertyType DWord -Value 1
  4. Hi again. As you have seen in today's other thread, I'm working on getting the password resetting for Windows to work without using local admin privileges. Whilst doing so, I've stumbled upon an error in the Windows local account password reset script "Set-WindowsPassword.ps1". I'm working with build 8180. After reducing the Powershell code to its bare essentials and running it on one of my test boxen, I've found that the relevant ScriptBlock contains a Write-Output that it really shouldn't, or that the test is written badly. Its current state leads to false positives. REPRODUCTION: Expire a local admin account's password on a Windows box. A few minutes later, the reset status lights up green as does the heartbeat. However, running another heartbeat attempt sets the HB status to red. Upon closer inspection I also find that the password has NOT been changed. No errors are reported by the reset script, which is recorded as successful in the audit log. DEBUGGING: I've reduced the relevant Powershell code to the bare minimum. I'm running it in Powershell ISE on the target host, with the privileged user account. Running things manually clearly shows an "access denied" message which is not getting caught by the test. EXAMPLE CODE: $HostName = "myhost" $TargetUser = "administrator" $NewPassword = "supersecrettotallynotit-1234" function ScriptBlock () { $account = [ADSI]"WinNT://$HostName/$TargetUser,user" $account.psbase.invoke("SetPassword", $NewPassword) $account.psbase.CommitChanges() Write-Output "Success" # THIS IS YOUR SMOKING GUN } $resultsarray = scriptblock 2>&1 if ($resultsarray -eq "Success") { Write-Output "Success" } else { Write-Output "Failboat" } PROOF: Run the code above ultimately leads to the output "Success", even if the psbase commands fail. In my case, I'm given an "access denied". Taking out the Write-Output from the function makes it exit with "Failboat". Now, if I swap the final IF-THEN-ELSE test with the actual code from the original PS1 (which includes the Switch statement for various error messages), then we see the same pattern. Making ScriptBlock output "Success" always leads to an exit of the script with "Success". Taking out that Write-Output line however, will correctly display the "access denied" error message. FIX: You'll need some error handling in your codeblock, to verify if there's any failures on the remote end and to indicate at which step. function ScriptBlock () { $account = [ADSI]"WinNT://$HostName/$TargetUser,user" $account.psbase.invoke("SetPassword", $NewPassword) if ($?) { $account.psbase.CommitChanges() if ($?) { Write-Output "Success" } else { Write-Output "Failure on commit"} } else { Write-Output "Failure on invoke" } }
  5. support

    Departing Employee Procedure

    In Passwordstate 8, we have a new feature which allows you to automatically recycle passwords that a departing employee has had access to. If the password records are set up for automatic resets, for example if it was an Active Directory account, or a Linux account, then the passwords will also be recycled out on this systems automatically. This can save a lot of time manually resetting passwords in your environment. To use this feature, go to Administration -> Password Lists -> Perform Bulk Processing -> Bulk Password import: Under the Search Filter section, select the departing employee username, the site as Internal, (unless you are using the Remote Site Locations Module in which case you'll have some external sites to choose from), and the historical user activity option. Once you do this, click Search and it will return all passwords that are recommended to be changed: For the Schedule, click now to to set the current time, or choose a time in the future by using the calendar and time icons: Now under the Search Results grid, if you only want to reset "some" of the recommended passwords, select the ones you require, and click the "Add Selected Records to the Queue", otherwise just hit "Add All Records to the Queue": Now sit back and let Passwordstate do the rest:) Regards, Support
  6. This post describes how to set up an Active Directory account in Passwordstate, configured for Automatic Resets: Powershell Script: $PasswordstateAPIURL = "https://fabrikam.com/api/passwords" $jsonString = ' { "PasswordListID":"9914", "Title":"SCCM Service Account", "Username":"sccm_admin", "GeneratePassword":"False", "Password":"Welcome01", "APIKey":"63fca2537db89e4fb329546d7e83cab6", "ValidatewithPrivAccount":"False", "AllowExport":"True", "PasswordResetEnabled":"True", "EnablePasswordResetSchedule":"True", "PasswordResetSchedule":"23:00", "AccountTypeID":"82", "ADDomainNetBIOS":"fabrikam", "PrivilegedAccountID":"2", "HeartbeatEnabled":"True", "ValidationScriptID":"9", "HeartbeatSchedule":"10:00" } ' Invoke-Restmethod -Method POST -Uri $PasswordstateAPIURL -ContentType "application/json" -Body $jsonString Pre-Requisites to get this script working: An API key needs to be set on a Password List. This can be achieved when adding or editing a Password List: You'll need to find the PasswordListID value, by toggling the Visibility of the Web API IDs: Next you'll need to find the AccountTypeID for Active Directory under Administration -> Images and Account Types: Next find the Validation ScriptID for Active Directory Accounts under Administration -> Powershell Scripts -> Password Validation: And the ID of your Privileged account, which has permissions in AD to reset Accounts: If you insert these values into your script, along with any other string values like the Title or username, it will add a record in to the system as expected.
  7. Hello, We want to use Passwordstate to reset all administrator accounts of our customer servers once a year. I played with the Password Reset and Password Validation Scripts to checkout the manual way but neither are working. I also read the "Password Reset Prerequisites" but I'm still stuck. To my environment: The Passwordstate "Server" is a Windows 10 PC in our company AD. The Servers I want to reset the password are external customer pc and server which have a VPN connection to our Passwordstate Server. None of the customer servers have a AD or are connected to our AD. So they are all standalone server. I started with the Password Validation Scripts. Here I get this error: Executing for Host '10.0.4.47' at 12.09.2016 18:33:30. Failed to validate the local password for account 'administrator' on Host '10.0.4.47'. Error = Exception calling "ValidateCredentials" with "3" argument(s): "The network path was not found." If I use the Username ".\administrator" I get a different error message: Executing for Host '10.0.4.47' at 12.09.2016 18:38:43. Failed to validate the local password for account '.\administrator' on Host '10.0.4.47'. Error = Exception calling "ValidateCredentials" with "3" argument(s): "Access Denied" The username and password of the 10.0.4.47 is correct. What I'm doing wrong? Thanks Christian
  8. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Confirm the Reset Oracle Password reset script has been selected Determine whether or not to use a Privileged Account and select the appropriate option. If you do not use a Privileged Account, Passwordstate will connect to the host using the currently active password for the user (in this example oracle_admin), and perform the reset to a new password. Otherwise it will connect to the host with the Privileged Account username and password, and then perform the password reset for the user account (oracle_admin). You only need to use a Privileged Account Credential to connect to the database, if the account you're resetting the password for does not have enough permissions to perform a reset for itself Confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for Oracle Account validation script is selected
  9. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Ensure you select the correct Privileged Account and the Reset Juniper ScreenOS Password reset script. Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for Juniper ScreenOS Account validation script is selected
  10. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Ensure you select the correct Privileged Account and the Reset Juniper Junos Password reset script. Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for Juniper Junos Account validation script is selected
  11. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: You must have a Generic Field configured on your Password List labelled as "LoginID" (Screenshot below) Step 3: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 6 options correctly and enter in the password for the account You will need to know the LoginID of your account on your IMM card. For more information on this see Help -> Passwordstate User Manual -> KB Articles -> Password Resets -> Password Reset Scripts and Requirements If you configure an Expiry Date it will automatically change the password when that date is reached Screen 2: Three are three options on this page to configure: Confirm the Reset IBM IMM Password reset script is selected Determine whether or not to use a Privileged Account and select the appropriate option. If you do not use a Privileged Account, Passwordstate will connect to the host using the currently active password for the user (in this example marlee), and perform the reset. Otherwise it will connect to the host with the Privileged Account username and password, and then perform the reset for the user account (marlee) Confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for IBM IMM Account validation script is selected
  12. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Three are three options on this page to configure: Confirm the Reset HP iLO Password reset script is selected Determine whether or not to use a Privileged Account and select the appropriate option. If you do not use a Privileged Account, Passwordstate will connect to the host using the currently active password for the user (in this example marlee), and perform the reset. Otherwise it will connect to the host with the Privileged Account username and password, and then perform the reset for the user account (marlee) Confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for HP iLO Account validation script is selected
  13. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the username and password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Choose the correct reset script for your F5 Big-IP host. The reset script you choose is dependant on the access type your Privilege Account, and more information about this can be found under Help -> Passwordstate User Manual -> KB Articles -> Password Resets -> Password Reset Scripts and Requirements Ensure you choose you Privileged Account that has permissions on your BIG-IP host Confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for F5 Big-IP Account validation script is selected
  14. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Confirm the Reset Dell iDRAC Account Password reset script is selected Determine whether or not to use a Privileged Account and select the appropriate option. If you do not use a Privileged Account, Passwordstate will connect to the host using the currently active password for the user (in this example marlee), and perform the reset. Otherwise it will connect to the host with the Privileged Account username and password, and then perform the reset for the user account (marlee) Confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs. Screen 3: Confirm the Validate Password for Dell iDRAC Account validation script is selected
  15. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Ensure you select the appropriate Privileged Account and the Reset Cisco Host Password - Priv 15 reset script. Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for Cisco Account validation script is selected
  16. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Ensure you select the appropriate Privileged Account and the Reset Cisco Enable Secret reset script. Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for Cisco Account validation script is selected
  17. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: As of January 2018 the Procurve Reset script has been updated to allow you to not have to use a Privileged Account on your Password Record. The two scenarios are below: If the account you are intending on performing a reset on has the "Manager" role on your Procurve switch, then it is not necessary to select a Privileged Account o the screen below. If the account you are intending on performing a reset is only an "Operator" on the switch, then you must select a privileged account that has "Manager" permissions on the switch. More information about this screenshot below: Ensure you select the correct Privileged Account and the Reset HP Procurve Password reset script. Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs. With my settings below, it will add another 90 days to the Exiry Date on the record, and will attempt to perform the next reset at midnight. Change these values accordingly. Screen 3: Confirm the Validate Password for HP Procurve Account validation script is selected
  18. On a Windows server or desktop OS, it is possible to configure a Service, IIS Application Pool, Scheduled Task or COM+ Component to have its "Identity" run as an Active Directory Account. We call these Dependencies in Passwordstate. This post shows how to configure a Password Record to manage this dependency. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Ensure you configure a password record as per this Form Post. This should contain the Active Directory account you intend to set up on your dependency Step 3: Add a dependency to your Password Record. Screen 1: Adding a dependency can be achieved from two places - Either from the Actions Menu or click the Dependencies link in the Password Grid: Screen 2: Click the Link to Password Reset Script button Screen 3: Select the options as appropriate: The correct Password Reset Script that should match your dependency type Enter the name of the dependency as it is shown on the remote host - ie the display name of the service on my server is called Passwordstate Service The dependency type Search for and assign the correct Host that the dependency is configured on
  19. Updated for Passwordstate 8 - 1st November 2017 Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Confirm you select the appropriate Reset Linux Password script. Determine whether or not to use a Privileged Account and select the appropriate option. If you do not use a Privileged Account, Passwordstate will SSH to the host using the currently active password for the user (in this example marlee), and perform the reset. Otherwise it will connect to the host with the Privileged Account username and password, and then perform the reset for the user account (marlee) Confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for Linux Account validation script is selected Some More notes about Linux Resets: In some environments, and and/or Linux distributions, SSH'ing in as root is disabled. To ensure you can perform a successful heartbeat of the root account ie check the password record is in sync with the root password on the machine, then you may need to tick the following option - This will SSH in as your Privileged Account, and perform a password validation to the root account. In conjunction with the setting below, you will need to configure your sudoers file on each of your machine following the Section 14 of this Document: https://www.clickstudios.com.au/downloads/version8/Password_Discovery_Reset_and_Validation_Requirements.pdf Information About the Privileged Account: With Linux it is possible to SSH in using a Public/Private key system to authenticate. If you have this system in place, you can assign the Private key to your Privileged Account, and it will use the key and the secret Passphrase to establish an SSH connection to the machine:
  20. Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account. If you configure an Expiry Date it will automatically change the password in Passwordstate and on the Host when that date is reached. Screen 2: Ensure you select the appropriate Privileged Account and the Reset Windows Password reset script. Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for Windows Account validation script is selected
  21. Step 1: Ensure you have prerequisites set up for your web server, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 5 options correctly and enter in the AD password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Select the appropriate Privileged Account. Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for Active Directory Account validation script is selected
  22. To enable Passwordstate to reset passwords for accounts on remote hosts in your environment, you must ensure you have the following prerequisites set up: Web server and remote host requirements - https://www.clickstudios.com.au/downloads/version8/Password_Discovery_Reset_and_Validation_Requirements.pdf In the Passwordstate user interface: Hosts need to be added in under the Hosts tab -> Hosts Home -> View All Hosts Records screen Some systems require a Privileged Account to perform the password reset on the remote host. To determine if you need to set up a Privileged Account, check Help -> Passwordstate User Manual -> KB Articles -> Password Resets -> Password Reset Scripts and Requirements. To create a Privileged Account, see Help -> Security Administrators Manual -> Privileged Account Credentials A Password List that is configured for Password Resets (Screenshot below of this setting when creating or editing a Password List) Quick Information About Privileged Accounts: After creating a privileged account, for security reasons only the person who created it is granted access to use it. If you find you create a Password Record, but cannot see the Privileged Account that you thought was already in the system, go back into the Administration -> Privileged Account screen and confirm you have access to it (any any other user in Passwordstate that you need) Screenshot below shows where this can be configured:
  23. Hi, I am wondering if there is a best practice for this situation: We want to use discovery and automated password management for local admin accounts and resources (service accounts and so on), but unfortunately not all systems can handle automatic password changes. Is there a way to use discovery and manually selecting the accounts that can be managed by the password reset scripts? Thanks in avance, Jasper
×