Jump to content
Azkabahn

Running Password Reset Scripts

Recommended Posts

Hi,

 

I am having some hard time understanding the password reset scripts procedure. The instructions are doesn't go too much into details. As to try this, I have setup a demo dummy host machine. I will try to list all the info into bullet points, so here it is:

  • I have created a private password list. With all the necessary options checked according to the manual.
  • List contains a password of the host machine (windows). Machine has only one account - administrator
  • In the "Privileged Account Credentials" section I have created a new credential with the same name as above and the same password.
  • If I run "Password Validation Scripts" it goes fine.
  • The problem occurs when I try to run "Reset Windows Password" script. I get the following error:

Error = Failed to reset the local password for account 'administrator' on Host '172.22.12.201'.Error = [172.22.12.201] Connecting to remote server 172.22.12.201 failed with the following error message : The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated

 

even adding the passwordstate IP address to the remote host machine I still get the same error. Maybe I am missing something? The idea behind this is to add around 20 machines and execute the password changing script in order to change form default one into something more random.

Share this post


Link to post
Share on other sites

Hi Null_Spirit,

 

In the latest version of Passwordstate, we have simplified Password Reset scripts as you are right, it was a little bit hard to set up.  We've included some examples in the Help Manual, and we're hoping to maybe get some step by step forum posts, and maybe some video tutorials out there to help people.

 

With your issue above, I think the issue is possibly caused by Powershell Remoting not being enabled on your Host machines.  When you enable Powershell Remoting, this opens the required ports on the local firewall on the host machine, allowing the Powershell cmdlet "Invoke-Command" to run.  The error you are getting indicates that a local firewall is blocking the WinRM (Windows Remote Management) service, or that the service is not started. The later version of the Windows Validation script does not require Powershell Remoting to be enabled as they don't use the Invoke-Command cmdlet.

 

I believe if you enable PS Remoting on your dummy host as a test, this error should go away, and the script should execute. It sounds like you've set everything else up ok.  Can you let us know if this solves the problem?

 

FYI, here is a link to the requirements for the scripts: http://www.clickstudios.com.au/downloads/version7/Password_Discovery_Reset_and_Validation_Requirements.pdf

Share this post


Link to post
Share on other sites

Powershell Remoting is enabled with the "Force" flag. Firewall is disabled (just for testing purposes). Unfortunately, the password reset script doesn't work. Can the problem be that instead of hostname I put IP address of the machine?

The PasswordState version I am using is - V7.3 (Build 7393)

 

What I have done different from what was posted above is:

  • Created additional administrator account. Now the host has two admin accounts: administrator and test1
  • The password list has a password record for the test1 account.
  •  "Privileged Account Credentials" left as it was. It contains administrator account and the password. The password is the same as for the "administrator" account on the host. Which as it should be (?)
  • If I run account Heartbeat check it returns "A manual Account Heartbeat check successfully validated the password for account administrator (\SecUnit\Servers) of Account Type 'Windows' on Host 172.22.12.201".
  • The host is not connected to domain as well as users on that machine - can this be a problem? Is there a requirement that all the hosts must belong to domain?

 

I follow the tips and the instructions, but I end up with the problems anyhow. 

Share this post


Link to post
Share on other sites

Hi Null_Spirit,

 

Can you try the following for us:

  • Go to the screen Hosts -> Password Reset Scripts
  • For the 'Reset Windows Password' reset script, select 'Test Script Manually' from the Actions dropdown menu (you will need to be using Build 7393 or higher to have this option)
  • Now test the script manually using the IP Address an relevant details, and if it fails the same as before, then change to the Host Name to see if it makes any difference

Can you let us know the outcome of this testing?

 

Thanks

Click Studios

Share this post


Link to post
Share on other sites

 Hi,

 

that is actually how I was testing the whole time. I have attached two screenshots. In the first one. You see two accounts. Both exist on the machine with the administrator privileges. The "administrator" account is set in the "privileged account" section and it is also added in the password list. Both are connected. The password list has the reset functionality enabled as well.

 

see http://pasteboard.co/YKXNF23.png

 

 

It says that the account might be locked, but the host is not connected to the domain. Therefore the users are not connected to AD as well. So the option to unlock the user account is not present. And I think this is not the case.

 

see http://pasteboard.co/YKQsBXT.png

 

If you don't see what is wrong with my tests I guess I will just tell my colleague to try and set it up, it could be that I overlook something :)

Share this post


Link to post
Share on other sites

Hi Null_Spirit,

 

I think we can see what the issue is here - when resetting accounts on Windows machines, we've really only designed this for machines which are joined to the domain, and using a Privileged Account in the format of Domain\UserID.

 

I'm not sure if it would work, but what if you specified the Privileged Account UserName in the format of .\Administrator or HostName\Administrator - obviously HostName\Administrator is not an ideal option, as it would require one Privileged Account per Host.

 

Regards

Click Studios

Share this post


Link to post
Share on other sites

That what i was thinking, that it probably works with the hosts connected to a domain. Unfortunately, we have some hosts that are not connected to the domain (don't know the reason), but do think this is something you might improve?

I haven't tried with Linux reset scripts, but I hope that they don't have to be connected via LDAP :) if this is the case as with windows hosts, then it would be really useful to have ability to run reset scripts to the hosts that are outside the domain. 

Share this post


Link to post
Share on other sites

Hi Null_Spirit,

 

We will need to look at whether we can get this working for non domain connected machines - we really overlooked this as part of the development planning, as it's not all that common to use PC's in workgroup environments.

 

Linux machines will be fine - we SSH in with UserName or Password, or in the upcoming build, the Privileged Account Credential can use Public Key Authentication.

 

Regards

Click Studios

Share this post


Link to post
Share on other sites

Hi Support,

 

i'm having the same issue trying to reset the local administrator account with the local administrator accounts as privileged account. Just getting this as error:

Executing for Host 'hostnamee' at 04.03.2019 17:31:47.
Failed to reset the local password for account 'administrator' on Host 'hostnamee' as the Privileged Account password appears to be incorrect, or the account is currently locked.

 

Also trying .\Administrator or Hostname\Administrator does not work. Heartbeat works well....

 

Anything new on this?

 

Kind regards,

Constantin
 

Share this post


Link to post
Share on other sites

Hello Constantin,

 

Could try upgrading to version 8 to see if that helps - I'm assuming you are using version 7, as you've posted in the version 7 section of the forum.

 

If you are on version 8, can you confirm the password you have set for the Privileged Account Credential is correct - the error message indicates it is not. Also, if you are using the same Privileged Account, as the account being reset, then you don't really need the Privileged Account selected on the password record - it should be able to reset itself.

 

Also, the follow document has some information which might help - https://www.clickstudios.com.au/downloads/version8/Password_Discovery_Reset_and_Validation_Requirements.pdf - look at section 14.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...