DerBagger Posted June 19, 2020 Posted June 19, 2020 Hey guys, we are currently evaluating passwordstate. It´s super cool. Now we would like to add the bitlocker keys and LAPS passwords for each PC to passwordstate. I would like to have the following process: a script is scanning an specific ou or multiple ou´s and fetches all computer objects from this/those ou´s ------> than the script looks up the laps and bitlocker attribute ---> these information are send to passwordstate and are automatically added to a specific password list The script should run very day. It would be cool if I could refresh the passwords from the passwordstate web interface. If this is not possible, I would let the script run every 5 minutes. Thanks for your help! Kevin
support Posted June 19, 2020 Posted June 19, 2020 Hi Kevin, Thanks for your enquiry. The majority of our customer's have replaced the use of LAPS with built in functionality of Passwordstate, as it is more secure by default. Did you instead want to look at our Account Discovery Jobs (Windows Local Admin Accounts) to see if this is a better solution for you, as it would reduce the need for you to write your own scripts based on your requirements above? Basically you need to import all your Host records first, which can be done with another Discovery Job under the Hosts tab. Then you can create that Account Discovery Job I mentioned. Regards Click Studios
DerBagger Posted June 24, 2020 Author Posted June 24, 2020 Hey there, I did read through your solution. But doesn´t it destroy the purpose of LAPS to prevent domain admin logins? Your solution requires a domain admin to log into every computer if I understood it correctly. Could you explain to me how it is safer by default? Because if I misunderstood it then I am more than willing to use your solution because it seems very easy. What about the bitlocker key? Do you have something redarding this topic/issue? Thanks for your help! Kevin
support Posted June 24, 2020 Posted June 24, 2020 Hi Kevin, It is our understanding that all the administrator passwords are stored in Active Directory in unecrypted format, whereas in Passwordstate we obviously encrypt all that data. With our PAM solution, you also do not require Domain Admin rights to do this - you only need local administrator rights on each machine to do this. Majority of our customers use Security Groups, to add a domain Security Group into the Local Administrator's group. Sorry, we do not have any advice on the bitlocker question, except that you can add your own PowerShell scripts into Passwordstate, and associate them as 'Dependent' processes to password reset records. So you would need to investigate if you could write your own PowerShell script for this purpose. We hope this helps. Regards Click Studios
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now