Jump to content
Fabian Näf

Windows Dependency Discovery Job: Exclude User & Use of Password Generator

Recommended Posts

Hi

 

I've two feature requests for Windows Dependency Discovery Jobs:

 

Exclude Users

We considered about the following scenario: A Domain Admin creates a new Scheduled Task or Windows Service and use his own Domain Administrator-Account for this (just temporary for testing).

If then the Windows Dependency Discovery Job would run, his Domain Administrator-Account would be added to Passwordstate and his Password would be reseted.

The prevent this, it would be great, if we could include/exclude accounts for the Windows Dependency Discovery Job by using matching-patterns e.g. ==> exclude "doa-*".

 

Use of Password Generator

In Windows Dependency Discovery Job there is an option "When new accounts are discovered, set the initial password in Passwordstate to be". There I have to enter a password. If I understand it right, every discovered account will then use this password until it's expired. In my optionen this is a security issue.

When I configure a Windows Local Admin Accounts Discovery Job, I can choose, that a new password will be generated randomly (I guess it uses the password generator policy).

It would be great if you could add this option for Windows Dependency Discovery Job as well.

 

I'm aware, that it will take some time until version 8 is released and you only afterwards will be able to work on my feature request. So don't hurry :)

 

Best regards,

 

Fabian

Share this post


Link to post
Share on other sites

Hi Fabian,

 

For your first request we could look into this, but obviously your Admins should not be using their own account for this sort of thing. Also, their accounts would not be straight away, only on the next schedule - so hopefully you can fix/delete these records before that happens.

For the second request, we do not believe this is a security risk. With the Windows Dependency job, we are not "resetting" passwords anywhere on discovery - because this may be disruptive to services. All this setting does is set the initial password in Passwordstate, and then next time a manual or scheduled reset occurs, then everything will be in sync. I hope this clarifies, and please let us know if you have any further questions about this.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Thanks a lot for your explanation.

 

Exclude Users

I totaly agree with you, that a domain admin should never use his own account for running scheduled task. But you know :)... they do it just temporary, just for testing... and then they forget it to change :D 

 

Use of Password Generator

I just used the Windows Local Admin Accounts Discovery Job before and immediatly after discovery my passwords got changed. So I thought the same behaviour would processed with the Windows Dependency job. But the passwords got changed, because I set "Upon discovery, perform an immediate Password Reset for the account, based on the value of the password setting above: Yes".

I'm absolutly agree with you, that this isn't a security risk. So I like to whitedraw my feature request for that :-)

 

Thank's a lot for your explantions and fast support as always! It's highly appreciated!

 

Best regards,

 

Fabian

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×