Updated: 25 Dec 2020
Module provides full user and management capabilities for AdmPwd.E solution.
User capabilities include:
- Reading of managed passwords (local admins and manageged domain accounts)
- Reset of managed passwords (planned in the future or immediate)
- Management of password history length for managed local admin accounts
Management capabilities include:
- AD Schema update
- Delegation model maintenance
- Generation of new encryption keys
- PDS management
- Environment statistics
Adds configuration of AD container with accounts with automatically managed passwords to configuration of PDS.
PDS manages managed domain accounts in specified AD containers (typically OUs).
Each container has specific configuration for passwords (complexity, age, encryption key, etc.).
All user accounts in container are subject of automatic password configuration.
Configuration of managed accounts containers is stored in PDS configuration file.
Adds mapping of SIDs from untrusted forest to SID from PDS forest.
PDS supports management of untrusted forests.
However, for management of untrusted forests, the following prerequisites must be configured:
- Explicit credentials for PDS to use when accessing intrusted forest
- Mapping of SID from untrusted forest to SIDs from PDS forests.
SID mappings are used for access control - User who wants to read or reset password must have his/her own SID (own SID or SID of group he/she is member of) 'paired' with SID that has been delegated the permission for password read/reset in untrusted forest. SID mapping is used to establish this pairing of SIDs.
Adds registration of supported AD forest for management to PDS configuration (optionally with connection credentials for the forest).
Gets AD schema attributes for the solution and their schema GUIDs.
Returns credential for local admin or managed domain account, and optionally schedules reset of retrieved password.
Returns staus information about environment managed by the solution.
Returns supported key sizes for solution
Retrieves password for given managed domain user account.
Finds admin password for given computer.
Lists all discovered PDS instances along with their parameters.
Returns parameters of PDS service related to access check process.
Returns name of AD group that has role of PDS Administrator.
Returns parameters of PDS service related to registration of PDS autodiscovery SRV record.
Returns parameters of PDS service related to license of product.
Gets all defined managed accounts containers from configuration of PDS.
PDS manages managed domain accounts in specified AD containers (typically OUs).
Each container has specific configuration for passwords (complexity, age, encryption key, etc.).
All user accounts in container are subject of automatic password configuration.
Configuration of managed accounts containers is stored in PDS configuration file.
Returns parameters of PDS service related to management of Managed Domain Accounts.
Gets mapping of SIDs from untrusted forest to SID from PDS forest from PDS instance.
Lists supported AD forests from PDS configuration.
Gets public key with given ID.
Returns all public keys managed by PDS instance.
Finds permissions that specified user has on specified AD object (computer or user account).
Sets a group as PDS Admins role group.
Members of this role have permission to manage configuration of PDS.
Generates new key pair in Password Decryption Service.
Removes configuration of AD container with accounts with automatically managed passwords from configuration of PDS.
PDS manages managed domain accounts in specified AD containers (typically OUs).
Each container has specific configuration for passwords (complexity, age, encryption key, etc.).
All user accounts in container are subject of automatic password configuration.
Configuration of managed accounts containers is stored in PDS configuration file.
Removes mapping of SIDs from untrusted forest to SID from PDS forest.
Removes registration of supported AD forest for management from PDS configuration.
Requests reset of password for given managed domain account. Password is reset by PDS upon next cycle od password management (within 10 minutes by default)
Requests reset of local admin password for given computer (either immediate or planned for future).
Gives computers permission to report passwords of their local admin accounts to AD.
Sets parameters of PDS service related to access control decisions for password reads and resets.
Delegates necessary permissions to Password Decryption Service accounts on Deleted Objects container in specified domain.
Sets parameters of PDS service related to registration of PDS autodiscovery SRV record.
Sets parameters of PDS service related to access control decisions for password reads and resets.
Updates PDS configuration of AD container with accounts with automatically managed passwords.
PDS manages managed domain accounts in specified AD containers (typically OUs).
Each container has specific configuration for passwords (complexity, age, encryption key, etc.).
All user accounts in container are subject of automatic password configuration.
Configuration of managed accounts containers is stored in PDS configuration file.
Sets parameters of PDS service related to management of Managed Domain Accounts.
Delegates necessary permissions to Password Decryptor Service (PDS) service accounts, so as it is able to manage and retrieve password of managed domain user accounts.
Delegates necessary permissions to Password Decryptor service accounts.
Updates mapping of SIDs from untrusted forest to SID from PDS forest.
Updates registration of supported AD forest for management in PDS configuration (optionally with connection credentials for the forest).
Delegates the permission to read passwords of local admin account of computers in given AD container.
Delegates the permission to request reset of passwords of local admin account of computers in given AD container.
Prepares AD schema for the solution in local forest. Must be executed in every AD forest that is supposed to host computers of domain user accounts that have password managed by AdmPwd.E solution.
Maintains records in password history for given computer account in AD.