Poor-man's Local Password Management
I came up with this concept a while back when we had to get rid of the Arellia products for our NS 6 environment for which we never got the chance to use (why we got rid of it). One thing we were lacking was a good way to manage a local password without giving away the "Keys to the kingdom" and passing out the Administrator password to our image to the site admins. As we are in the process of putting up our ITMS 7.1 infrastructure, the new VBScript based custom inventory inspired me to script out the password rotation for a local account, then logging the information to the ITMS database. This way you can give a local admin account to the machines that your site administrators can use, but keeps things secure. You could provide this information via a report or even a workflow.
See this article for more information on creating a custom inventory.
Setting up the inventory. First create the custom data class:
"username" nvarchar (50) [Non Null]
"password" nvarchar (50)
"date changed" nvarchar (50)
Then note the data class guid and place that guid in the attached script:
Also in the script you have some options:
You can basically have 2 options with the name of the local account.
- Static name
- Dynamic name
For the static name, keep the account length the same length as your prefix as seen in the example above. For more security, you can have a prefix with a random number at the end. So let’s say you wanted to create a local account that is 8 characters long, with a prefix of "adm". The result would give you a local administrator account of "adm12345" or some number variation like that. This would give you not only a random password, but a totally unique local admin account. For some I can understand if that is over kill, but the option is there.
For the local admin account description you can set that to what you want.
Then obviously the password length can be as long as you want (man I hope you don't use 50... your PC admins will hate you). The password characters are UPPER and lower case, numbers and some special characters. All configurable in the generatePassword function if you so choose. Password also have the option to be encrypted in the database (well, jumbled in base64). Just set that option to True or False.
Other features include validation of settings on each run:
- Pings ITMS server to make sure the PC is on your network (don't want to change if we can't account for it)
- makes sure local account is enabled (tricky users who like to disable your local admin accounts!)
- looks up SID of local "Administrators" group (maybe you rename your local user/groups?)
- your admin user account is in the local "Administrators" group
After you have tested the script on your local box you can create the custom inventory script and schedule it on your target machines.
Some other tips. You may want to restrict access to this data class and abstract it via a workflow (would also help if you encrypt the password). That or if you give a report to view the passwords, but make sure you restrict that report to only computer resources they have access to.
Hope this helps. Please click on the poll and let me know what you think. What modifications would you make to it?