Passwordstate uses PowerShell scripting as the extensible platform for PAM, or Privileged Account Management. The PowerShell scripts provided with Passwordstate enable Account Discovery, Password Resets and on-demand or scheduled validation (Heartbeats) to confirm that accounts are being managed through our solution. For more information on what types of systems can be discovered, reset and validated please refer to our website here https://www.clickstudios.com.au/about/privileged-account-management.aspx .
Where the strength of our PAM solution is evident is through the flexibility and extensibility of the PowerShell scripts. In the event, that some infrastructure components or business systems in your environment aren’t covered by the large number of default scripts we provide, you can simply copy one of our scripts and modify it for your requirements.
Add your Custom Account Type
As an example, we’ll create a new Account Type, set it to having Password Resets performed against it and associate it with a custom image.
To do this, navigate to Administration->Images and Account Types and click on Add beneath the Images and Account Types display grid. This will bring up the Add New Account Type screen shown below.
In our example, we’re going to give it an Account Type Name of Test, ensure the Managed radio button Yes is selected, we’ve clicked on Select and chosen a custom image to upload called Padlock.png and then clicked the Save button.
Add a Password Reset Script
Next, we’re going to setup a Password Reset Script for the Test Account Type. To do this, navigate to Administration->PowerShell Scripts and click on the Password Resets button. This will take you to the Password Reset Scripts page. Now click on Add New Script underneath the display grid and you’ll be presented with the Add Password Reset Script screen below;
Here we’ll add a Script Name of For Test Account Type and a Description of Test and select Create Blank Script from the Create Script Contents From drop down list, then click Save.
Edit the PowerShell Script
Now we can edit the newly created Script by navigating to Administration->PowerShell Scripts and click on the Password Resets button. Again, this will take you to the Password Reset Scripts page. Next, we’ll locate the Script Name For Test Account Type and click on the Script Name which is actually a hyperlink,
This will open the Edit Password Reset Script editor, allowing you to insert your code and choose from Host, Dependency and Password Fields to insert into your code as appropriate. In the example we are inserting the fields of OldPassword and NewPassword,
Once completed click on the Save button.
Password Records using Custom Account Type and Reset Script
Now when you add new password records, on the password details tab you can select the Custom Account type (in our example Test) from the Account Type drop down list and select the Managed Account check boxes for Enabled for Resets and Enabled for Heartbeats,
And on the reset options tab, select the correct reset script (in our example For Test Account Type) from the Password Reset Script drop down list,
When passwords are changed for these records, either manually or as a scheduled task, Passwordstate will reach across to the target system using the Password Reset Script and change the password on those systems.
This is of course a simple example of what needs to be done. In reality you would create Password Validation and Password Reset scripts and the PowerShell coding required can end up being quite complex. A best practice approach would see these scripts being developed and tested outside of Passwordstate. Once they are working as expected and have been through your organizations Change Management processes they can be included as per the instructions in this blog.
If you would like to share your feedback, we’d love to hear it. Just email it through to support@clickstudios.com.au.