Jump to content

Account Discovery Scripts - Add new script?


Emil Gullbrandsson
 Share

Recommended Posts

Hi,

 

Is there any available options to upload and use my own 'Account Discovery Scripts'?

I can see that the option is available on 'Password Reset Scripts' and 'Password Validation Scripts'.

 

The reason is that the query in the PowerShell script 'Discover Windows Local Admin Accounts' at line 39 takes about 30-40 minutes to discover 4 servers.

Get-CimInstance -ClassName win32_group -Filter "Name = '$AdminGroup'" | Get-CimAssociatedInstance -Association win32_groupuser |

 

I'd rather use our own script for the discovery if possible.

Thanks!

Link to comment
Share on other sites

Hello Emil,

 

Unfortunately you cannot add in your own discovery scripts, and the behaviour you are seeing is certainly not normal - it should query each server within seconds.

 

Have you done any testing with that command outside of Passwordstate to try and figure out why it's taking so long? i.e. might be a DNS issue, firewall, etc.

Regards

Click Studios

Link to comment
Share on other sites

15 hours ago, support said:

Hello Emil,

 

Unfortunately you cannot add in your own discovery scripts, and the behaviour you are seeing is certainly not normal - it should query each server within seconds.

 

Have you done any testing with that command outside of Passwordstate to try and figure out why it's taking so long? i.e. might be a DNS issue, firewall, etc.

Regards

Click Studios

 

The query: "Get-CimInstance -ClassName win32_group" returns ALL groups in our Active Directory, which is around 38.000 groups.

We have around 1300 servers, so this means that the query for 38.000 groups will be running 1300 times.

 

So to me, it looks like the code is doing exactly what it's told to do, but it just doesn't fit in an enterprise environment like ours.

 

Can you validate this please?

 

Link to comment
Share on other sites

Hello Emil,

 

The script you pointed us to above is for discovering local Administrator accounts on Windows Machines, and does not query Active Directory.

 

We have made a change to this script in version 9 so it does not use that Get-CimInstance command anymore, so if you can contact us via our support page here https://www.clickstudios.com.au/support.aspx, then we can provide you a copy of this script to try.

Regards

Click Studios

Link to comment
Share on other sites

10 hours ago, support said:

Hello Emil,

 

The script you pointed us to above is for discovering local Administrator accounts on Windows Machines, and does not query Active Directory.

 

We have made a change to this script in version 9 so it does not use that Get-CimInstance command anymore, so if you can contact us via our support page here https://www.clickstudios.com.au/support.aspx, then we can provide you a copy of this script to try.

Regards

Click Studios

Hi again,

 

I know it's for the local administrators, but I tried it in 3 different domains, I ran it from my local computer and directly on 3 servers in 3 different domains and they all started to return groups for the Active Directory.

 

Anyway, thanks for the suggestion, glad we found a way forward. I think maybe an upgrade to version 9 is an even better one? :) Is it available for download?

 

 

Link to comment
Share on other sites

Hello Emil,

 

Can you tell me if you are running this script against any Domain Controllers, as Domain Controllers do not have Local Administrator Security Groups.

 

This discovery job is intended for domain members only.

 

We have the Active Directory Discovery Job if you want to discover accounts in AD.

Regards

Click Studios

Link to comment
Share on other sites

2 minutes ago, support said:

Herllo Emil,

 

Can you tell me if you are running this script against any Domain Controllers, as Domain Controllers do not have Local Administrator Security Groups.

 

This discovery job is intended for domain members only.

 

We have the Active Directory Discovery Job if you want to discover accounts in AD.

Regards

Click Studios

Hi,

 

No, run it locally on a management server, so no domain controllers.

We using the script to collect all local admins and then use the 'reset password' + 'heartbeat function' you have, so we don't want to collect the users from the Active Directory..

 

I've created a support ticket now, can you see it? :)

Link to comment
Share on other sites

Hi Emil,

 

We're not sure how this could be querying your Active Directory Domain then, as there is no domain information passed to this script which would allow that.

 

Yes, we can see the support ticket, and we will provide you an updated copy of the script first thing in the morning.

 

We're not confident that the new script will help though, as this script should not be able to contact your domain at all.

Regards

Click Studios

Link to comment
Share on other sites

3 minutes ago, support said:

Hi Emil,

 

We're not sure how this could be querying your Active Directory Domain then, as there is no domain information passed to this script which would allow that.

 

Yes, we can see the support ticket, and we will provide you an updated copy of the script first thing in the morning.

 

We're not confident that the new script will help though, as this script should not be able to contact your domain at all.

Regards

Click Studios

Hi,

 

Okay, have you tried running the query on a server/computer that's connected to a Active Directory? I don't mean to be rude but it bugs me that it returns the AD-groups, even though I don't pass any domain information.

It doesn't make sense to me..

 

Please provide the new script, I can take a look at it and see if the works differently. :)

 

Link to comment
Share on other sites

Hi Emil,

 

Yes, all or our servers are domain joined, and we see no issues with this script - we've also had no other customers report this behaviour.

 

If you go to the screen Administration -> PowerShell Scripts, click on the Account Discovery button, can you test this script manually for us - look at the Actions menu to do this.

Basically just put in any Host Name here for a server you want to query, with the appropriate Privileged Account Credentials. For us, it returns all Local Admin accounts on a server in around 2.5 seconds.

 

Regards

Click Studios

Link to comment
Share on other sites

17 minutes ago, support said:

Hi Emil,

 

Yes, all or our servers are domain joined, and we see no issues with this script - we've also had no other customers report this behaviour.

 

If you go to the screen Administration -> PowerShell Scripts, click on the Account Discovery button, can you test this script manually for us - look at the Actions menu to do this.

Basically just put in any Host Name here for a server you want to query, with the appropriate Privileged Account Credentials. For us, it returns all Local Admin accounts on a server in around 2.5 seconds.

 

Regards

Click Studios

Yepp, I've done that, same behavior unfortunately.

 

If possible we can setup a remote session and I can show you how it behaves?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...