Add Windows Components to Password Safe

Password Safe can manage Active Directory and LDAP directories and directory accounts, as well as credentials used to run the following:

  • Windows services
  • Windows scheduled tasks
  • IIS application pools
  • COM+ and DCOM applications
  • SCOM RunAs identities

Add a Directory 

  1. From the left menu, select Managed Systems.
  2. Click Create New Managed System.
  3. From the Type list, select Directory.
  4. From the Platform list, select Active Directory or LDAP.
  5. Configure the settings for the directory, and then click Create Managed System.

For more information on adding managed systems manually, please see Add a Managed System Manually.

Add Directory Accounts

You can add directory accounts manually or by creating an Active Directory account with a Smart Group.

Add Directory Accounts Manually

  1. On the Managed Systems page, select the managed system for the directory, and then click the vertical ellipsis button for the managed system.

Filter the list of managed systems in the grid by selecting Directory Managed Systems from Smart Group filter to quickly find your managed system.

  1. Select Create Managed Account.
  2. Configure the managed account settings as necessary, and then click Create Account.

When configuring the managed account settings for an Active Directory account, you can choose a domain controller to change or test a password. The domain controller on the managed account overrides a domain controller on the functional account selected.

For more information on adding managed accounts manually, please see Add a Managed System Manually.

Discover Active Directory Accounts with an Active Directory Query

  1. From the left menu, click Smart Rules.
  2. From the Smart Rule type filter list, select Managed Account.
  3. Click + Create Smart Rule.

Managed Account Smart Rule for an Active Directory Query showing filters and actions.

  1. Select Managed Accounts from the Category list.
  2. Provide a name and description for the Smart Rule.
  3. Set the following Selection Criteria:
    • Directory Query > Include accounts from Directory Query.
    • Select the query from the list, or click Create New Directory Query to open the form and create the query.
    • Ensure the Discover accounts for Password Safe Management option is enabled.
    • Select a Domain from the list.
  4. Set the following Actions:
    • Show managed account as Smart Group.
    • Manage Account Settings: Configure these settings as necessary, ensuring to select the following options from the Account Options dropdown:
      • Change Password after Release
      • Check Password
      • Enable accounts for AD/LDAP queries

 

By default, the Smart Rule auto manages the passwords for the directory accounts. If you do not want this, set Enable Automatic Password Management to no; otherwise, ALL accounts in the query will have passwords changed.

  1. Click Create Smart Rule.

 

To view the contents of a Smart Rule when creating a new rule or editing an existing rule:
  • Once the rule is saved, click View Results.
  • You are taken to the associated grid, where the contents of the Smart Rule are listed.
  • If the rule is actively processing, a banner displays letting you know that.
  • View Results displays only if you have permissions to the grid corresponding to the Smart Rule, i.e.; Assets, Managed Accounts, Managed Systems.
  • The Smart Rule must be saved with Show <entity> as Smart Group selected under Actions to view the results.
Because the Smart Rule must process to display the contents in the grid, we recommend viewing the results using only the Show <entity> as Smart Group action and before adding additional actions that may make changes to accounts and assets in your network.

Once you have confirmed the rule contains your desired items, you can then add additional actions to the Smart Rule.
  1. To view the Active Directory accounts:
    • Go the Managed Accounts page.
    • Select the newly created Smart Group from the Smart Group filter list.

Link Active Directory Accounts to Managed System

You can link Active Directory accounts to managed systems on a specified domain.

  1. From the left menu, click Managed Systems.
  2. Select the managed system, and then click the vertical ellipsis button for the managed system.
  3. Select Go to Advanced Details.
  4. Under Advanced Details, click Linked Accounts.
  5. Filter the list by Not Linked.
  6. Select the accounts, and then click Link Accounts above the grid.

Create an Active Directory Functional Account

When creating an Active Directory managed account, the functional account requires a domain controller. Administrators can choose a targeted domain controller from the menu, or select Any Domain Controller, which allows Active Directory to choose.

If a failure occurs when connecting to a target domain controller, Password Safe connects at the domain level.

Add Propagation Actions to Managed Accounts

Password Safe allows you to manage the credentials for Windows Services, Task Scheduler, IIS Application Pools, Windows Auto Logon, COM+ Applications, DCOM Applications, and SCOM RunAs Identities. These accounts can be added as managed accounts in Password Safe. When their passwords are changed by Password Safe, the credentials are updated in any systems associated with the managed account, if these options are assigned under Advanced Details > Propagation Actions on the managed account.

The below information applies only for propagation actions that target Windows systems. It does not apply for Unix or Linux systems, or for SSH script actions.

For propagation actions that target Windows systems, Password Safe deploys a local agent to managed systems via the Password Safe Propagation Service to complete its tasks.

When a managed account password change occurs and Password Safe determines that a propagation action must occur, the Password Safe Propagation Service connects to the remote host using the Named Pipes (SMB) protocol over TCP port 445 (as well as UDP ports 137, 138, 139) to access the ADMIN$ share and authenticates using the functional account specified in the managed system. This connection occurs directly from the appliance.

Once connected, the Password Safe Propagation Service creates a temporary folder on the ADMIN$ share, \\remotehost\\admin$\RBExecService, and deploys the BTExecService.exe local agent in this folder. The propagation service then completes all of the required propagation actions locally using the BTExecService.exe.

After all required propagation actions are complete, the propagation service deletes the BTExecService.exe agent, as well as the temporary folder on the ADMIN$ share.

The following access is required for propagation actions to succeed:

  • Functional account requires access to the ADMIN$ share on the target managed system(s).
  • The Microsoft .NET Framework must be at version 4.7.2 or above on the target managed system(s).
  • The \\remotehost\\admin$\RBExecService folder and BTExecService.exe agent must be exempt from any security or endpoint protection software on the target managed system(s).

The following network ports must be accessible between the Password Safe appliance and target managed system(s):

  • 445 (TCP)
  • 137 (UDP)
  • 138 (UDP)
  • 139 (UDP)

Assign Propagation Actions to Managed Accounts

You can manually assign propagation actions to a managed account as follows:

  1. From the Managed Accounts page, click the vertical ellipsis for an account.
  2. Select Go to Advanced Details.

Screenshot of Propagation Actions in the Advananced Details of a Managed Account

  1. Under Advanced Details, click Propagation Actions.
  2. Click Assign Propagation Action above the grid.

 

Screenshot showing Assign Propagation Action window for a managed account.

  1. Select a Propagation Action from the list.

To create a custom propagation action, click Create New Propagation Action below the dropdown and complete form. Please see Create Custom Propagation Action to Run a Script for more information.

  1. Select a Propagation Set to assign to this managed account. The Propagation Action runs on each managed system found in the Propagation Set.
    • Select Latest Discovery Data to use managed systems from the most recent detailed discovery scan.
    • Select a Managed System-Based Smart Rule from the list to use managed systems associated with a Smart Rule.

 

Manage Propagation Mappings Action in a Managed Account Smart Rule.

Propagation actions are also available when creating a managed account Smart Rule by selecting Manage Propagation Mappings under Actions, and then checking the applicable actions from the Propagation Action dropdown.

 

Available built-in Propagation Actions

  • Update Services
  • Update and Restart Services
  • Update Scheduled Tasks
  • Update IIS Application Pools
  • Update and Restart IIS Application Pools
  • Update Windows Auto Logon
  • Update COM+ Applications
  • Update DCOM Applications
  • Update SCOM RunAs Identities

Create Custom Propagation Action to Run a Script

Password Safe also allows you to create new propagation actions to run PowerShell, Windows Command, and Unix Shell scripts as follows.

Ensure you have deployed your script to your desired systems prior to creating a custom propagation action to run a script, as Password Safe does not deploy the script.

  1. Navigate to Configuration > Privileged Access Management > Propagation Actions.
  2. Click + Create Propagation Action.

Screenshot of the Create New Propagation Action form.

  1. Complete the form by selecting the type of script to run, providing a name and description for the action, entering the full path (including script name) to the script you want to execute, and specifying the command line parameters. The following parameters can be used:
    • %u managed account name
    • %p managed account password
    • %h script host name
    • %i script host ip
    • %j managed system name
    • %k managed system ip

The %p parameter must be in quotes to be passed correctly in the command line.

  1. Click Create Propagation Action.

 

When a propagation action is triggered, the activity is logged as an event for the managed account. You can view events by viewing the advanced details for a managed account and clicking Events in the Advanced Details pane. Password changes as well as propagation actions that occurred for that account are listed in the Events grid.

Manage Windows Service Accounts

When managing Windows services on managed systems in a clustered configuration, the Windows Services Cluster API is used. For successful update of clustered service credentials, all nodes of the cluster must be managed by Password Safe.

When a service is under Password Safe management, the following occurs when the managed account password changes:

  • A service that is running restarts when the password is changed.
  • A service that is stopped is not restarted when the password is changed.
  • Dependent services may or may not restart based on the state of the primary service.

Before adding a service account to Password Safe management, we recommend you do the following:

  • Verify machines are in the domain, if applicable.
  • Verify assets are managed with a local administrator account if not in the domain, or with a domain administrator account if in the domain.

Complete the following procedures to prepare and add a service account to Password Safe management.

Prepare the Service

  1. On the asset where the service resides, open the Windows Services snap-in and stop the service if running.
  2. Right-click the service, and then select Properties.
  3. Select the Log on tab and enter the local or active directory account and current credentials. If required, retrieve a password using the Password Safe administrator credentials.
  4. Restart the service to verify it starts successfully.

Run a Scan on the Service Assets

  1. In the BeyondInsight Console, click Discovery Scan to run a Detailed Discovery Scan against the target systems to add the systems as assets in BeyondInsight. The detailed scan collects data of the services for the targets.
  2. Add the discovered assets to Password Safe management.
  3. Verify the following:
    • From the Assets page:
      • Select the asset, and then click the vertical ellipsis button for the asset.
      • Select Go to Advanced Details.
      • Under Scan Data, click Services.
      • Confirm the services have been collected, their Status is Running, and the Log On As account name is correct.
    • From the Managed Systems page:
      • Select the managed system, and then click the vertical ellipsis button for the system.
      • Select Edit Managed System.
      • Verify that NetBIOS Name is entered.
  4. From the Managed Accounts page:
    • Select the managed account associated with the service, and then click the vertical ellipsis button for the managed account.
    • Select Go to Advanced Details.
    • Click Propagation Actions from the Advanced Details pane.
    • Click Assign Propagation Action and assign the Update Services or Update and Restart Services action for this account.
  5. From the Managed Accounts page:
    • Select the managed account associated with the service, and then click the vertical ellipsis button for the managed account.
    • Select Test Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.
    • Click the vertical ellipsis button for the managed account again.
    • Select Change Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.
  6. Restart the service to verify the password change. The password change is successful if the service restarts. Otherwise, the password change is not successful. Go through all the steps in this chapter to troubleshoot.

Manage Windows Scheduled Task Accounts

When a scheduled task is under Password Safe management, the following occurs when the managed account password changes:

  • A scheduled task that is running stops when the password is changed.
  • A scheduled task that is stopped will run again at its next scheduled interval time.

Before adding a scheduled task account to Password Safe management, be sure to:

  • Start the Task Scheduler service on the target.
  • Verify machines are in the domain, if applicable.
  • Verify assets are managed with a local administrator account if not in the domain, or with a domain administrator account if in the domain.

Complete the following procedures to prepare and add scheduled task accounts to Password Safe management.

Prepare the Scheduled Tasks

  1. On the asset where the scheduled task resides, open the Task Scheduler snap-in and end the task if running.
  2. Right-click the scheduled task, and then select Properties.
  3. On the General tab, click Change User, and enter the local or active directory account and current credentials. If required, retrieve a password using the Password Safe administrator login.
  4. Run the task to verify it runs successfully.

Run a Scan on the Scheduled Tasks Assets

  1. In the BeyondInsight Console, click Discovery Scan to run a Detailed Discovery Scan against the target systems to add the systems as assets in BeyondInsight. The detailed scan collects data for the scheduled tasks for the targets.
  2. Add the discovered assets to Password Safe management.
  3. Verify the following:
    • From the Assets page:
      • Select the asset, and then click the vertical ellipsis button for the asset.
      • Select Go to advanced details.
      • Under Scan Data, click Scheduled Tasks.
      • Confirm the scheduled tasks were collected.
      • Click the i button for each scheduled each task and verify the Run As account name is correct.
    • From the Managed Systems page:
      • Select the managed system, and then click the vertical ellipsis button for the system.
      • Select Edit Managed System.
      • Verify that NetBIOS Name is entered.
  4. From the Managed Accounts page:
    • Select the managed account associated with the scheduled task, and then click the vertical ellipsis button for the managed account.
    • Select Go to Advanced Details.
    • Click Propagation Actions from the Advanced Details pane.
    • Click Assign Propagation Action and assign the Update Scheduled Tasks action to this account.
  5. From the Managed Accounts page:
    • Select the managed account associated with the scheduled task, and then click the vertical ellipsis button for the managed account.
    • Select Test Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.
    • Click the vertical ellipsis button for the managed account again.
    • Select Change Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.
  6. Run the scheduled task to verify the password change. The password change is successful if the scheduled task starts. Otherwise, the password change is not successful. Go through all the steps in this chapter to troubleshoot.

Manage Windows IIS Application Pool Accounts

When an IIS application pool account is under Password Safe management, the following occurs when the managed account password changes:

  • An IIS application pool that is running restarts when the password is changed.
  • An IIS application pool that is stopped is not started when the password is changed.

Before adding an IIS application pool account to Password Safe management, be sure to:

  • Start the IIS Admin Service on the target.
  • Verify machines are in the domain, if applicable.
  • Verify assets are managed with a local administrator account if not in the domain, or with a domain administrator account if in the domain.

Complete the following procedures to prepare and add IIS application pool accounts to Password Safe management.

Run a Scan on the IIS Application Pool Assets

  1. In the BeyondInsight Console, click Discovery Scan to run a Detailed Discovery Scan against the target systems to add the systems as assets in BeyondInsight. The detailed scan collects data for the IIS application pools for the targets.
  2. Add the discovered assets to Password Safe management.
  3. Verify the following:
    • From the Assets page:
      • Select the asset, and then click the vertical ellipsis button for the asset.
      • Select Go to advanced details.
      • Under Scan Data, click Application Pools.
      • Confirm the IIS application pools have been collected, and that their Identity account name is correct.
    • From the Managed Systems page:
      • Select the managed system, and then click the vertical ellipsis button for the system.
      • Select Edit Managed System.
      • Verify that NetBIOS Name is entered.
  4. From the Managed Accounts page:
    • Select the managed account associated with the IIS application pool, and then click the vertical ellipsis button for the managed account.
    • Select Go to Advanced Details.
    • Click Propagation Actions from the Advanced Details pane.
    • Click Assign Propagation Action and assign the Update IIS Application Pools or Update and Restart IIS Application Pools action to this account.
  5. From the Managed Accounts page:
    • Select the managed account associated with the IIS application pool, and then click the vertical ellipsis button for the managed account.
    • Select Test Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.
    • Click the vertical ellipsis button for the managed account again.
    • Select Change Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.

Manage Windows Auto Logon, COM+ Application, DCOM Application, SCOM RunAs Identities Accounts

Complete the following procedures to prepare and add a service to Password Safe management.

Run a Scan on the Service Assets

  1. In BeyondInsight, click Discovery Scan to run a Detailed Discovery Scan against the target systems to add the systems as assets in BeyondInsight. The detailed scan collects data of the services for the targets.
  2. Add the discovered assets to Password Safe management.
  3. From the Managed Accounts page:
    • Select the managed account associated with the service, and then click the vertical ellipsis button for the managed account.
    • Select Go to Advanced Details.
    • Click Propagation Actions from the Advanced Details pane.
    • Click Assign Propagation Action and assign the the appropriate Windows Auto Logon, COM+ Applications, DCOM Applications, and SCOM RunAs Identities propagation actions for this account.
  4. From the Managed Accounts page:
    • Select the managed account associated with the service, and then click the vertical ellipsis button for the managed account.
    • Select Test Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.
    • Click the vertical ellipsis button for the managed account again.
    • Select Change Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.

The functional account associated with the SCOM Managed System must be added to the Operations Manager Administrators profile in the SCOM Operations Manager Console.