Notify Primary User of Admin Password Disclosure

Ever wondered how you automatically notify the user that a managed password (typically the Administrator account) has been accessed by an administrator when using Local Security Solution? No Notification Policy exists by default.

Learn how to install just such a Notification Policy in this tip.

Save the following XML and import it into your Notification Policy folder under Local Security Solution.

<item guid="{08dd7ae1-476c-4315-868a-c80bd9f3db68}" classGuid="{ff0a95e4-304e-45d2-90b7-7d0267865a25}">
<!--  Type: Altiris.NS.StandardItems.Policies.NotificationPolicy  -->
<!--  Assembly: Altiris.NS.StandardItems, Version=6.0.6074.30, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f  -->
<name>Notify Primary User of Admin Password Disclosure</name>
<alias />
<productGuid>{a7d32f79-5ac0-4a9c-a980-046752703ac6}</productGuid>
<itemAttributes>Normal</itemAttributes>
<itemLocalizations>
<culture name="">
<description />
<name>Notify Primary User of Admin Password Disclosure</name>
</culture>
<culture name="en">
<description />
</culture>
</itemLocalizations>
<enabled>True</enabled>
<scheduling>
<enabled>True</enabled><schedule name="Custom Schedule"><Trigger Type="1" Duration="1440" Interval="15" KillAtEnd="0" Disabled="0" Description="Every 15 minutes from 9:00 AM for 24 hours every 1 days, starting Sunday, March 04, 2007"><BeginDate>2007-03-04 09:00:00</BeginDate><DaysInterval>1</DaysInterval></Trigger></schedule><sharedSchedule>{00000000-0000-0000-0000-000000000000}</sharedSchedule></scheduling>
<policyActionParameters />
<dataSource sourceType="Query">
<query type="builderQuery">
<queryBuilder>
<directEdit />
<userCustomized><![CDATA[SELECT     Disclosure._ResourceGuid AS _UserGuid,           
Disclosure.UserGuid AS _DisclosedUserGuid,           
dbo.vComputer.Name,           
dbo.vComputer.[Domain],            
ManagedUser.Name AS [Manager User],           
DisclosedToUser.Name AS [Disclosed User],           
Disclosure.Disclosed,           
Disclosure.[Remote IP Address],           
p.[Month],           
p.[User]           

FROM       dbo.Evt_User_Account_Password_Disclosure Disclosure           
INNER JOIN dbo.vResourceEx DisclosedToUser ON Disclosure.UserGuid = DisclosedToUser.Guid           
INNER JOIN dbo.Inv_Global_Account_Details ON Disclosure._ResourceGuid = dbo.Inv_Global_Account_Details._ResourceGuid           
INNER JOIN dbo.vComputer ON dbo.Inv_Global_Account_Details.AccountDomain = dbo.vComputer.Guid            
INNER JOIN dbo.vResourceEx ManagedUser ON Disclosure._ResourceGuid = ManagedUser.Guid           
LEFT OUTER JOIN dbo.Inv_AeX_AC_Primary_User p ON dbo.vComputer.Guid = p._ResourceGuid           

WHERE           
DATEDIFF(Minute, Disclosure.Disclosed, GETDATE()) <= 17         
AND ( (p.[Month] = DATENAME(m, GETDATE()) ) or (isnull(p.[Month], '') = '') )           
]]></userCustomized>
</queryBuilder>
</query>
</dataSource>
<parentFolderGuid>aafe5a46-7dda-461f-b54c-0aa8e37d606f</parentFolderGuid>
<security owner="@APPLICATION_ID" inherit="True">
<aces>
<ace type="reserved" name="@APPLICATION_ID">
<permissionGrants>
<permissionGrant guid="{ac296df1-eb40-4592-899f-25d5c07d45f6}" name="Write" />
<permissionGrant guid="{819dae1e-b1a5-4643-81a1-26ef95feb8a8}" name="Change Permissions" />
<permissionGrant guid="{983a2d22-7a82-4db0-a707-52c7d6b1441e}" name="Read" />
<permissionGrant guid="{eca6254f-5017-4730-9b3f-5add230829b7}" name="Delete" />
<permissionGrant guid="{726b1c09-7108-450d-ae24-5f8e93135ed6}" name="Clone" />
<permissionGrant guid="{4ddc04c3-f0a5-4e88-84aa-c44c8c5ebcc4}" name="Read Permissions" />
<permissionGrant guid="{24feda4a-9025-401f-befd-cc9c9e99f047}" name="Policy Enable" />
</permissionGrants>
</ace>
</aces>
</security>
<itemReferences>
<itemReference guid="{4eafa08c-ffcb-464b-be4a-3dcecfe0e6fb}" hint="npmessagesubscriber" type="DependentChild"><item guid="{4eafa08c-ffcb-464b-be4a-3dcecfe0e6fb}" classGuid="{a0c42a97-67e9-4e30-b392-7076999dfd2d}">
<!--  Type: Altiris.NS.StandardItems.NSMessaging.Subscribers.NPEmailMsgSubscriber  -->
<!--  Assembly: Altiris.NS.StandardItems, Version=6.0.6074.30, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f  -->
<name>Email Primary User</name>
<alias />
<productGuid>{a7d32f79-5ac0-4a9c-a980-046752703ac6}</productGuid>
<itemAttributes>Hidden</itemAttributes>
<itemLocalizations>
<culture name="">
<description />
<emailmessage>User account who the admin password was disclosed to: %DS:Disclosed User%

The name of the computer the password has administrative rights to: %DS:Name%

Name of the local account the admin password was disclosed for: %DS:Manager User%

Date / Time the password was disclosed: %DS:Disclosed%

IP Address of the computer on which the user account was logged on when the admin password was disclosed: %DS:Remote IP Address%

</emailmessage>
<emailsubject>Administrator Password Disclosure Alert</emailsubject>
<name>Email Primary User</name>
</culture>
<culture name="en">
<description />
</culture>
</itemLocalizations>
<enabled>True</enabled>
<enabled>true</enabled>
<noUIDelete>false</noUIDelete>
<policyActionConfiguration><emailPolicyAction eachRow="true">
<to><![CDATA[%DS:User%@company.com;admin.email@company.com]]></to>
<from><![CDATA[]]></from>
<cc><![CDATA[]]></cc>
<subject><![CDATA[Administrator Password Disclosure Alert]]></subject>
<message><![CDATA[User account who the admin password was disclosed to: %DS:Disclosed User%

The name of the computer the password has administrative rights to: %DS:Name%

Name of the local account the admin password was disclosed for: %DS:Manager User%

Date / Time the password was disclosed: %DS:Disclosed%

IP Address of the computer on which the user account was logged on when the admin password was disclosed: %DS:Remote IP Address%

]]></message>
</emailPolicyAction></policyActionConfiguration>
<parentFolderGuid>00000000-0000-0000-0000-000000000000</parentFolderGuid>
</item></itemReference>
<itemReference guid="{963e6e66-2be9-44e2-81cc-9fd4e034de39}" hint="npmessagefilter" type="DependentChild"><item guid="{963e6e66-2be9-44e2-81cc-9fd4e034de39}" classGuid="{bfa1aa3f-4a1d-453e-90d2-7ba2d3dec768}">
<!--  Type: Altiris.NS.StandardItems.NSMessaging.Filters.NPMessageFilter  -->
<!--  Assembly: Altiris.NS.StandardItems, Version=6.0.6074.30, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f  -->
<name>Message Filter for Notification Policy {08dd7ae1-476c-4315-868a-c80bd9f3db68}</name>
<alias />
<productGuid>{08dd7ae1-476c-4315-868a-c80bd9f3db68}</productGuid>
<itemAttributes>Hidden</itemAttributes>
<itemLocalizations>
<culture name="">
<description>Filters messages that are created by (and destined for) a Notification Policy</description>
<name>Message Filter for Notification Policy {08dd7ae1-476c-4315-868a-c80bd9f3db68}</name>
</culture>
<culture name="en">
<description>Filters messages that are created by (and destined for) a Notification Policy</description>
</culture>
</itemLocalizations>
<nsMessageSource>08dd7ae1-476c-4315-868a-c80bd9f3db68</nsMessageSource>
<nsMessageTypeGuid>{e12a0e9e-30a0-4529-b38d-493fed8744b4}</nsMessageTypeGuid>
<parentFolderGuid>aafe5a46-7dda-461f-b54c-0aa8e37d606f</parentFolderGuid>
</item></itemReference>
</itemReferences>
</item>