Access Disconnected Passwords and Elevate Disconnected Accounts

You can access disconnected passwords or elevate a disconnected account from the web application, the web service, PowerShell, or the client directly. In this section, we describe the methods used and the configurations required for disconnected account management (DAM).

To retrieve a disconnected password or to elevate a disconnected account, you must use an all-access account or an account that has been delegated permissions to the list. For more information, please see Delegate Permissions for Disconnected Account Access.

Retrieve a Disconnected Password from the Web Application

Passwords > Disconnected Accounts

  1. Log into the web application as a user with appropriate permissions.
  2. Go to Passwords > Disconnected Accounts. You will see any lists you may access.

 

Disconnected Account Management - Enrolled Systems

  1. Click a list name to view its enrolled systems.
  1. Click the Show Password button (blue badge) to view the current and next passwords.

To elevate a disconnected account instead, please see Elevate a Disconnected Account.

 

Show Passwords for Disconnected Endpoint

  1. The web app shows the current derived value of the password based on the stored secret, the time that's passed since the secret was generated, and the number of iterations that have passed since that time and the current time. The password display also shows the next expected password.

    You can also see the endpoint status. If the endpoint synchronized with the web service at the most recent expected time, the status is Online. If it did not synchronize at that time, the status shows how long it has been disconnected. If the endpoint has never synchronized with the web service, the status is Always Offline.

 

Retrieve a Disconnected Password with the Windows Service

From an administrative command prompt, run LocalPasswordClient.exe Password. This returns the current derived password and secret based on the stored settings. Make sure you run this command in the same context as the local service (LocalSystem) to replicate the service behavior.

To execute a command as LocalSystem if you have administrative permissions, you can impersonate LocalSystem or use an application like PsExec to do so. For example:

psexec -s "C:\Program Files (x86)\Lieberman\Offline Accounts\LocalPasswordClient.exe" password

The output would be similar to:

Current password:
jcr!Cl*{#;)^#l0~hr Z
Current secret:
kRqsrwwovoJqCgzt87Ji7mSNAqhKKAFy

For more information about PsExec, please see docs.microsoft.com/en-us/sysinternals/downloads/psexec.

For more information about the LocalSystem context, please see Endpoint Settings and Local Secret Storage.

For more information about Windows commands, please see Run Client Commands.

Retrieve a Disconnected Password with Python

From the command line, run: $ python /root/bin/REDOA/localUpdateServicePython.py SecretAndPassword. You must run this command with sufficient privileges to access the settings.json file (root by default).

For more information about Python commands, please see Python Script Options.

Elevate a Disconnected Account

Passwords > Disconnected Accounts

  1. Log into the web application as a user with appropriate permissions.
  2. Go to Passwords > Disconnected Accounts. You will see any lists you may access.

 

Disconnected Account Management - Enrolled Systems

  1. Click a list name to view its enrolled systems.
  1. Click the Create Elevation Code button (up arrow) to get a code to elevate an account on the desired endpoint.

 

Create Elevation Code

  1. When the dialog appears, you can click Create to immediately create an elevation code with the default settings. To change the settings, click Hide/Show Details.
    • Local Group: Enter the name of the group to which you wish to elevate the account.
    • Elevation Duration: Set how many minutes the elevation should last.
    • Elevation Start Time: Set the date and time for the elevation code to become active.
  2. Click the Copy button to copy the Activation Code to your clipboard.

 

If you select Today from the calendar, it automatically selects the current hour. If you want a different time, pick a date from the calendar.

 

Make sure you remember any modifications you make to the default settings, as this information must match the information in the endpoint client. There are five checks: activation code, local group, elevation duration, time stamp, and shared secret. If any of these data don't match, the elevation will not succeed.

This code remains valid for the length of time set in the management console, plus the number of minutes remaining until the top of the hour. For example, if the settings dictate that codes should last for one hour and if you check out a code at 8:15, the code will remain valid until 10:00. You can reuse that same code any number of times within this time frame. If you need to elevate the account after this code has expired, you must go through the account elevation process again.

This code window is not related to the elevation duration. As long as the elevation begins while the code is valid, the elevation can continue past the code expiration.

For more information, please see Disconnected elevation settings.

Local Account Elevation Client

  1. On the disconnected endpoint, open LocalElevationClient.exe, installed by default at C:\Program Files (x86)\Lieberman\Offline Accounts\LocalElevationClient.exe, and typically accessible through the desktop shortcut Lieberman RED Offline Accounts Elevation.
  2. Enter the activation code and modify any settings you changed in the web app. Then click Submit. The account elevates to the specified group for the set length of time.

 

After an account has been de-elevated, a setting in the management console can force the account to be logged off the managed system.