Dipping the Big Toe in the Water – Trialling Scheduled Password Resets

We were having this discussion the other day about “dipping your toe into the water” and one of the new hires in our Technical Support Team had never heard the saying before.  So… the hunt was on during lunch to find the history of the saying.  According to idiomorigins.org it’s a metaphor that means “to try something new or start a new project cautiously without over-commitment or too much risk.  It dates from the late 20th century and derives from the obvious allusion of dipping a toe into water to test the temperature”.

Or another way to look at it, is to “start doing something slowly and carefully, because you’re not sure whether it will be successful or whether you will like it”.  That sounds like a great angle for trialling scheduled password resets in your organization.

What are Scheduled Password Resets

Scheduled Passwords Resets are part of the Privileged Account Management (PAM) functionality provided in the core Passwordstate product.  It enables customers to perform on-demand or scheduled password resets across multiple different systems and platforms. It uses a flexible and extensible design, through the use of PowerShell scripts, to allow password resets across your IT Infrastructure and Business Systems.

But why is this so desirable?  As an example, let’s work on the basis that you’ve got a couple of hundred PCs in your business.  Each of these has a Local Account.  As part of a best practice approach, the credentials for each of these Local Accounts should be unique and reset periodically, in accordance with your organization’s password management policy. 

That’s a lot of effort when you have to manually logon to each PC, reset the password and record the details in your password management system.  Passwordstate allows you to record the accounts for all these hosts, perform an initial reset on the account to allow it to be managed and then schedule regular password resets for the Local Account.

What you need before you get started

The only real prerequisites for performing automated password resets on local accounts, is to enable PowerShell Remoting and have a Shared Password List that has been setup with the Enable Password Resets setting selected.

PowerShell Remoting is enabled by default for Windows Server 2016 and above but not for Windows 10 Clients.  You can enable it via group policy as per the following article by TechRepublic (as an example) https://www.techrepublic.com/article/how-to-enable-powershell-remoting-via-group-policy/

To enable PowerShell remoting on some test machines, login to each of them and start PowerShell, choosing to Run as administrator, and execute enable-psremoting -force as per the screenshot below;

Next, you’ll need import the required PCs or Servers into Passwordstate.  To do this you’ll need to setup a Host Discovery job to scan Active Directory and import the hosts on into Passwordstate automatically.  The example below shows a Host Discovery job for Windows 10, 8 and 7.  To setup a Host Discovery Job navigate to Hosts->Host Discovery Jobs->Add Discovery Job and Add a new Discovery Job like the screenshot below;

Note you’ll need to have a Privileged Account Credential which should be a member of the Domain Users Security Group so it can read Active Directory for the information relating to the hosts you are discovering.  We have a comprehensive video, showing how to set up a Host Discovery job, available from our YouTube Channel here https://www.youtube.com/watch?v=UifVi2rH8x0

Discover your Local Accounts

Now that you’ve discovered all of the target PCs, Passwordstate can begin scanning them for you and adding in any Local Accounts, as individual Password Records into a specific Password List.  This can also set them up for automatic resets when it adds the account into Passwordstate if you choose, or you can do this at a later date. 

In our example we’ll setup a Windows Local Admin Accounts discovery job by navigating to Tools->Account Discovery and Add a new Discovery Job by clicking on the Select Discovery Job Type to Add… and select Windows Local Admin Accounts as per the screenshot below;

The discovery job in the example above is creating Password Records for all Local Accounts in the shared Password List Workstation Accounts.  However, the discovery job is set for Enabled for Heartbeats only at this stage as per the screenshot below;

There is also a video on how to setup your Account Discoveries here https://www.youtube.com/watch?v=YKH0ev6MrI8&t=313s

Note, with all discovery jobs, you can choose to run them in Simulation Mode, which performs the scan and reports back what it finds via email without adding any of the results into your Passwordstate instance.  That’s how the 2 jobs in the examples for this blog have been setup.  It’s a great way of initially building confidence in the process before making changes to production machines.

Setup a Trial Password Reset Job

Now you’re ready to dip that proverbial big toe in the water.  To do this you’ll run your Host Discovery job as normal, not in simulation mode, to import all the hosts that you’re interrogating for Local Accounts. 

Next you need to run the Windows Local Admin Accounts discovery job. Again, not in simulation mode and making sure you haven’t selected the Enabled for Resets tick box.  This will discover all the Windows Local Accounts against the target hosts you’ve imported and add them into the specified Password List, in this example Workstation Accounts.

At this stage no passwords are reset, as Enabled for Resets hasn’t been ticked.  Now simply edit the Password Records, for a select number of hosts, and tick the Enabled for Resets box and save the record.  Passwordstate will now reach out to those hosts and reset the password with the newly generated password recorded in Passwordstate.

You can now logon using the Local Account on each of those hosts, using the password that’s recorded in Passwordstate, to confirm the process has worked as expected.  Once you are comfortable that the process worked as expected you can perform the Bulk Update Password Reset Options from the List Administrator Actions dialog beneath the Password Record Display Grid.  You can now search for the password records to update, choose the fields to update tab, select the Managed Account, tick the box to Enable Password Resets Option for all these accounts and select Save.

Additional Information

Documentation on both the Host Discovery and Account Discovery jobs can be located in your Passwordstate instance here;

Help->User Manual->Hosts->Hosts Home Screen->View Host Discovery Jobs, and,

Help->User Manual->Passwords->Tools Menu->Accounts Discovery

As always, if you’ve got any feedback you’d like to share please send it to support@clickstudios.com.au.