Import AD Accounts to Password List

[David Jenkins]

I'm new to using PasswordState  I've read the manual and I'm a little confused about administration of AD Accounts in a list.  I thought I read there was a way to import AD accounts into a list.  I'm wondering if this is correct and how it's done.  I feel like I misunderstood if this is possible or not.

[David Jenkins]

I guess it's just service account discovery.  Seems like it anyway.  

 

It's cause I'm a NOOB!  

[support]

Hi David!

 

You are funny:)  What you are after is what we call a Windows Dependency Discovery.  This job will scan your servers and/or desktops looking for AD accounts that are configured on things like Windows Services, IIS Application Pools or Windows Scheduled Tasks.  If it finds an AD account, it will add it into the system automatically for you, and then begin rotating the password on a schedule of your choice.

 

If the discovery job finds the same AD account on multiple dependencies, it will links that service (for example) to the AD Account that is already stored in Passwordstate.  ie, one AD account in a password record with 50 services attached to it.  When it comes time to reset the AD account, it resets it in AD, and then updates the password on all 50 services.  If it fails on one or more services, maybe because the server was off at the time of the automatic reset, it will try again the next day at the same time.

 

So, the first thing you need to do is get your Windows Servers into Passwordstate, so the discovery job knows what to scan.  Easiest way to do this is to set up a Host Discovery job.  This will search AD for servers and desktops of your choice, and import them into Passwordstate.  Here's a video showing how to set this up:  https://www.youtube.com/watch?v=UifVi2rH8x0

 

Now that you have all your servers in the system, you should create a new Account Discovery job from here:

 

And then choose "Windows Dependency Accounts":

 

Then set it up something like this:

 

 

1. Simulation Mode will not add anything to your system, but will run the discovery job and show you what it finds.  Good way to see what is going to happen with out actually resetting anything in production

2. Choose the type of dependency, all three is perfectly fine if you want

3. If you want to only run on certain machines, or not run on certain machines,  use these filters

4. Choose whether the AD account and it's dependencies should be reset automatically by Passwordstate or not. 

5. Choose a Password List to dump all discovered accounts into.  Make sure the Password List you create has "Enabled For Resets" ticked under it's properties, or you won't see it in this drop down

6. Set a dummy password which will be set in Passwordstate until the first automatic reset takes place.  

7. Make sure you have AD Privileged Account under Administration -> Privileged Accounts ready to select.  This AD account needs permissions to connect to your server and reset passwords on the machine. 

 

That should be it for now, but hopefully this get you started and saves you a bucket load of time.  Next build we are also releasing a brand new AD Discovery job, which will allow you to scan OU's or AD Security Groups for shared accounts that aren't being used on things like Window Services.  more to come with this:)

 

Hope this helps, And now, just like that, you're an expert....Much quicker to master than Fortnite.

 

Regards,

Support

[David Jenkins]

Yes I was successful.  Pretty cool.  

 

Now I need to test dependencies.

[support]

Cheers David