Jump to content

Local Windows Account Password Reset Example


support

Recommended Posts

Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process)

Step 2: Add new Password Record configured as follows:

 

Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account.  If you configure an Expiry Date it will automatically change the password in Passwordstate and on the Host when that date is reached.

2016-08-01_14-43-44.png

 

Screen 2: Ensure you select the appropriate Privileged Account and the Reset Windows Password reset script.  Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs

 

2016-08-01_14-43-59.png

 

Screen 3: Confirm the Validate Password for Windows Account validation script is selected

2016-08-01_14-44-12.png

 

 

 

 

 

 

Link to comment
Share on other sites

  • 3 years later...
  • 8 months later...

Hi, we are currently evaluating using this to reset the Local Admin account password of our Windows laptops, versus using LAPS. I just have a few questions that I am hoping I could get some clarity on:

 

  1. What happens if a laptop is off the network for an extended period of time? (e.g. after the password reset time). This is very common in our environment, especially now with the amount of people that we have WFH.
  2. Does the reset script only run at the specified time? How often does it retry to reset a pwd? As per the previous question, we have a lot of users coming and going.
  3. In the screenshot above it looks like the password reset is being set for 1 host. Is there an easy way to do this for all of our hosts? (over 7000).
  4. Are there any drawbacks of using this instead of LAPS?

Thanks!

Link to comment
Share on other sites

Hello Juan,

Thanks for your post, and please see answers below:

 

  • What happens if a laptop is off the network for an extended period of time? (e.g. after the password reset time). This is very common in our environment, especially now with the amount of people that we have WFH. If a device is not contactable, the reset engine will reschedule the reset for the same time the following day. If the device is no longer trusted on the domain, due to being offline for a long period, then you will most likely get an error when trying to perform the next reset
  • Does the reset script only run at the specified time? How often does it retry to reset a pwd? As per the previous question, we have a lot of users coming and going. Yes, it only runs at the specific time, and it will keep trying daily at the same time
  • In the screenshot above it looks like the password reset is being set for 1 host. Is there an easy way to do this for all of our hosts? (over 7000). We recommend using our Discovery Jobs for this - found under the Tools Menu. Under the Hosts Menu, you can also create a Hist Discovery Job, which monitors AD and can automatically import your host records. Used in conjuction with each other, you do not need to manually create any records. If possible, it might pay to see if you can split the discovery job results between multiple Password Lists, and 7000 records in one List might slow down the UI a bit - it won't be too bad though if you have paging set for 10 records on the grid
  • Are there any drawbacks of using this instead of LAPS? No that we are aware of. By default LAPS stores the passwords in unencrypted format in AD, so our solution is more secure as well.

 

Regards

Click Studios

Link to comment
Share on other sites

Hello Juan,

 

I also forgot to mention some improvements coming in V9 for discovery jobs and resets:

  • Multi-threading for the discovery jobs - making the process a lot quicker
  • And when accounts are discovered and added into a Password List, you can randomize the schedule for resets to be between two time-slots - so that you won't have all 7000 accounts trying to be reset at the same time

We expect a beta of V9 available later this month, and official release during January next year.

Regards

Click Studios

Link to comment
Share on other sites

  • 3 weeks later...

Hi,

 

We have also started to use discovery jobs. I have 2 host discovery jobs scanning 2 different sites in Active Directory.

 

Site 1 computers

Site 2 computers

 

The problem i have is when i create a Windows local admin discovery job, it is taking hosts found on BOTH host discovery jobs.

 

How can I ensure they remain separate and keep them within their respective password lists?

 

I was looking at host tag filters but couldn't find anything for use of wildcards for example.

 

Any help appreciated.

Link to comment
Share on other sites

Hi Kyle,

 

Our Tag field is the only real option to filter based on the Host Discovery Job. Are you specifying multiple OU's with your Host Discovery Job, and that's why you need Wildcard matching on the Account Discovery Jobs?

 

If you are using multiple OU's, is there any part of the OU's that would be unique to each of your jobs?


Regards

Click Studios

Link to comment
Share on other sites

There are several sites, but we can use 2 for the sake of example.

 

I have 2 discovery jobs 

Site1 with sub Ou Computers

Site2 with sub Ou Computers

 

Each site has its own computer naming convention:

 

Site 1 workstation

S1W00001

S1W00002

 

site 2 workstation

S2W00001

S2W00002

 

Right now with this setup the password discovery job is adding all hosts discovered from both jobs.

 

What would work as a wildcard for me is

S1W*

Or

S1W?????

 

* Anything that contains S1W of any length

? Specific amount of potential characters

 

Link to comment
Share on other sites

  • 1 year later...

I'm currently getting a large list of failed password resets.
The passwords are correct, the heartbeat confirms them as correct (green light) but the resets keep failing for no particular reason.
It worked fine before.

The error message I'm getting is the following:

The Passwordstate Windows Service failed to process the Password Reset Script 'Reset Windows Password' against Host 'vvcbpsageobn1.belfla.be' for the account 'Administrator' (\Shared Lists\Servers\DWH + GEO + GIS + QV + MIV\Windows Users). As a result, no changes have been made to this record in Passwordstate. Error = Failed to reset the local password for account 'Administrator' on Host 'vvcbpsageobn1.belfla.be'.Error = Method invocation failed because [System.Net.NetworkCredential] doesn't contain a method named 'new'. = Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number.".

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...