Emil Gullbrandsson Posted January 26, 2021 Posted January 26, 2021 Hi, Is there any available options to upload and use my own 'Account Discovery Scripts'? I can see that the option is available on 'Password Reset Scripts' and 'Password Validation Scripts'. The reason is that the query in the PowerShell script 'Discover Windows Local Admin Accounts' at line 39 takes about 30-40 minutes to discover 4 servers. Get-CimInstance -ClassName win32_group -Filter "Name = '$AdminGroup'" | Get-CimAssociatedInstance -Association win32_groupuser | I'd rather use our own script for the discovery if possible. Thanks!
support Posted January 26, 2021 Posted January 26, 2021 Hello Emil, Unfortunately you cannot add in your own discovery scripts, and the behaviour you are seeing is certainly not normal - it should query each server within seconds. Have you done any testing with that command outside of Passwordstate to try and figure out why it's taking so long? i.e. might be a DNS issue, firewall, etc. Regards Click Studios
Emil Gullbrandsson Posted January 27, 2021 Author Posted January 27, 2021 15 hours ago, support said: Hello Emil, Unfortunately you cannot add in your own discovery scripts, and the behaviour you are seeing is certainly not normal - it should query each server within seconds. Have you done any testing with that command outside of Passwordstate to try and figure out why it's taking so long? i.e. might be a DNS issue, firewall, etc. Regards Click Studios The query: "Get-CimInstance -ClassName win32_group" returns ALL groups in our Active Directory, which is around 38.000 groups. We have around 1300 servers, so this means that the query for 38.000 groups will be running 1300 times. So to me, it looks like the code is doing exactly what it's told to do, but it just doesn't fit in an enterprise environment like ours. Can you validate this please?
support Posted January 27, 2021 Posted January 27, 2021 Hello Emil, The script you pointed us to above is for discovering local Administrator accounts on Windows Machines, and does not query Active Directory. We have made a change to this script in version 9 so it does not use that Get-CimInstance command anymore, so if you can contact us via our support page here https://www.clickstudios.com.au/support.aspx, then we can provide you a copy of this script to try. Regards Click Studios
Emil Gullbrandsson Posted January 28, 2021 Author Posted January 28, 2021 10 hours ago, support said: Hello Emil, The script you pointed us to above is for discovering local Administrator accounts on Windows Machines, and does not query Active Directory. We have made a change to this script in version 9 so it does not use that Get-CimInstance command anymore, so if you can contact us via our support page here https://www.clickstudios.com.au/support.aspx, then we can provide you a copy of this script to try. Regards Click Studios Hi again, I know it's for the local administrators, but I tried it in 3 different domains, I ran it from my local computer and directly on 3 servers in 3 different domains and they all started to return groups for the Active Directory. Anyway, thanks for the suggestion, glad we found a way forward. I think maybe an upgrade to version 9 is an even better one? Is it available for download?
support Posted January 28, 2021 Posted January 28, 2021 Hello Emil, Can you tell me if you are running this script against any Domain Controllers, as Domain Controllers do not have Local Administrator Security Groups. This discovery job is intended for domain members only. We have the Active Directory Discovery Job if you want to discover accounts in AD. Regards Click Studios
Emil Gullbrandsson Posted January 28, 2021 Author Posted January 28, 2021 2 minutes ago, support said: Herllo Emil, Can you tell me if you are running this script against any Domain Controllers, as Domain Controllers do not have Local Administrator Security Groups. This discovery job is intended for domain members only. We have the Active Directory Discovery Job if you want to discover accounts in AD. Regards Click Studios Hi, No, run it locally on a management server, so no domain controllers. We using the script to collect all local admins and then use the 'reset password' + 'heartbeat function' you have, so we don't want to collect the users from the Active Directory.. I've created a support ticket now, can you see it?
support Posted January 28, 2021 Posted January 28, 2021 Hi Emil, We're not sure how this could be querying your Active Directory Domain then, as there is no domain information passed to this script which would allow that. Yes, we can see the support ticket, and we will provide you an updated copy of the script first thing in the morning. We're not confident that the new script will help though, as this script should not be able to contact your domain at all. Regards Click Studios
Emil Gullbrandsson Posted January 28, 2021 Author Posted January 28, 2021 3 minutes ago, support said: Hi Emil, We're not sure how this could be querying your Active Directory Domain then, as there is no domain information passed to this script which would allow that. Yes, we can see the support ticket, and we will provide you an updated copy of the script first thing in the morning. We're not confident that the new script will help though, as this script should not be able to contact your domain at all. Regards Click Studios Hi, Okay, have you tried running the query on a server/computer that's connected to a Active Directory? I don't mean to be rude but it bugs me that it returns the AD-groups, even though I don't pass any domain information. It doesn't make sense to me.. Please provide the new script, I can take a look at it and see if the works differently.
support Posted January 28, 2021 Posted January 28, 2021 Hi Emil, Yes, all or our servers are domain joined, and we see no issues with this script - we've also had no other customers report this behaviour. If you go to the screen Administration -> PowerShell Scripts, click on the Account Discovery button, can you test this script manually for us - look at the Actions menu to do this. Basically just put in any Host Name here for a server you want to query, with the appropriate Privileged Account Credentials. For us, it returns all Local Admin accounts on a server in around 2.5 seconds. Regards Click Studios
Emil Gullbrandsson Posted January 28, 2021 Author Posted January 28, 2021 17 minutes ago, support said: Hi Emil, Yes, all or our servers are domain joined, and we see no issues with this script - we've also had no other customers report this behaviour. If you go to the screen Administration -> PowerShell Scripts, click on the Account Discovery button, can you test this script manually for us - look at the Actions menu to do this. Basically just put in any Host Name here for a server you want to query, with the appropriate Privileged Account Credentials. For us, it returns all Local Admin accounts on a server in around 2.5 seconds. Regards Click Studios Yepp, I've done that, same behavior unfortunately. If possible we can setup a remote session and I can show you how it behaves?
support Posted January 28, 2021 Posted January 28, 2021 Hello Emil, I've just emailed you some instructions to test the version 9 script. Regards Click Studios
Emil Gullbrandsson Posted January 29, 2021 Author Posted January 29, 2021 11 hours ago, support said: Hello Emil, I've just emailed you some instructions to test the version 9 script. Regards Click Studios Hi, Yepp, and as I wrote in the email, if anyone stumbles upon this problem, the new script in V.9 works like a charm! Much appreciated! Thanks!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now