Click Studios Technical Support deals with support calls ranging from ‘How do I create a new Password List?’ to ‘How do I recover my Passwordstate instance after a DR event?’ and everything in between. A recent theme in support calls relates to moving a Passwordstate instance to a new AD Domain.
There are 2 permutations that we’ll need to cover off on this topic. Moving the Passwordstate instance to a new Domain that has a Domain Trust is covered in this blog. A future blog will cover moving the Passwordstate instance to a new Domain without a Domain Trust.
In layman’s terms when you have multiple Domains, you will not automatically have all resources in one Domain directly available to all other Domains. To enable resources in one Domain to be used in another Domain a trust in Active Directory needs to be established. This provides secure authentication and communication between the Domains and enables you to grant access to the resource to users, groups, and computers across the different Domains.
Prerequisites
To be able to perform the following your instance of Passwordstate will need to be on Version 8 or 9. The functionality is not support on previous versions of Passwordstate.
Firstly, make sure you have a recent successful backup of Passwordstate including the database. If you are using the built in Backup feature this can be confirmed by navigating to Administration->Backups,
Next, it’s good practice to make sure you have your Emergency Access password in case you need it. To get this navigate to Administration -> Emergency Access,
Don’t worry about the Emergency Access Password shown above (it’s not the real one).
On Your Old Passwordstate Website
Now let’s perform some tasks on the Old Passwordstate Webserver prior to the move. To begin with we’ll setup a new Privileged Account Credential that uses an AD Account with permissions in the new Domain. This will be used to read AD Accounts and Security Groups. To do this navigate to Administration->Privileged Account Credentials,
We’ll also add in the new Domain name under Active Directory Domains. This will enable the correct Privileged Account Credential to be used for this Domain. To do this navigate to Administration-> Active Directory Domains,
Ensure the newly created Privileged Account Credential is selected at the Account with Read Access.
We now need to create an Account in Passwordstate that will be used to login from the new Domain. This is done by navigating to Administration->User Accounts. Note, if using Client Access Licenses and are running short of available licenses you could either buy some more (subtle hint) or temporarily toggle one of the existing user accounts to disabled (disabled accounts don’t count toward your licensed level),
Now you’ll need to add all the Roles for the new Account you’ve just created. To do this navigate to Administration->Security Administrators, search for the new Account and tick the top level check box called Passwordstate Administration under Select Roles,
Login Test & Domain Move
Before we go any further, we’ll need to test that you can login correctly with the new Account you’ve created. If this is successful then you’re ready to start the move of your Passwordstate instance to the new Domain. The instructions for this can be found on our website here,
It is important to perform the instructions in the order listed,
- First (Red Circle 1), perform the webserver move to the new Domain following the instructions in the document Moving Passwordstate To A New Web Server,
- Then (Red Circle 2), perform the database move using the instructions in the document Moving Passwordstate To A New Database Server.
Once you have completed this you’ll need to login again using the new Account you created. This may prompt you to upgrade the database. If it does, please click Next to allow this to occur.
New Accounts & Access To Existing Data
You can now start the process of creating the new Domain’s Accounts and granting access to the existing Data in Passwordstate. Once again, if using Client Access Licenses and are running short of available licenses you can temporarily toggle some of the existing user accounts to disabled (as disabled accounts don’t count toward your licensed level).
When creating the new Domain Accounts, you could either add them one at a time, or alternatively use the Add from AD button,
This is found under Administration->User Accounts. This will allow you to search and select Users or Security Groups (and their members) to add,
Once you have added them, and while still on the User Accounts screen, click on the Clone User Permissions button. This is used to clone permissions between the old Domains account s and the New Domain Accounts. You can do this one at a time like below,
Or by clicking on the Clone Multiple Users button, you can generate a CSV file that can be populated and uploaded.
When Cloning User Permissions, either individually or in bulk, the following settings are cloned,
- Any Blocked Email Notification settings
- Any memberships to Email Notification Groups
- Any Favorite Passwords
- Any of the ‘Features’ permissions for what menus the user is allowed access to at the bottom of the screen
- Any Grid Settings – which columns to see, width, etc.
- Any permissions to Password Lists (auditing records are added)
- Any Password Permissions (auditing records are added)
- Any permissions to Password Lists Templates (auditing records are added)
- Any Security Admin Roles (auditing records are added)
- Any membership to Local Security Groups (auditing records are added)
- The expand/collapse status of the Password Lists Navigation Tree
- Any User Account Policy permissions
- Any Scheduled Reports
Now you’ll need to add the appropriate Security Groups if you’re applying permissions based on AD Security Group membership. You do not need to do this for Local Groups. To do this navigate to Administration->Security Groups and click on Add AD Security Group,
Once you’ve added the appropriate Security Groups you can then Clone Permissions between the old Domains Security Groups and the new Domain’s Security Groups,
When you Clone Security Group Permissions, the following settings are cloned,
- Any memberships to Email Notification Groups
- Any of the ‘Features’ permissions for what menus the user is allowed access to at the bottom of the screen
- Any permissions to Password Lists (auditing records are added)
- Any Password Permissions (auditing records are added)
- Any permissions to Password Lists Templates (auditing records are added)
- Any Security Admin Roles (auditing records are added)
- Any User Account Policy permissions
Now Test, Test and Test
By following the above you’ve effectively migrated your entire Passwordstate instance, inclusive of website, database and data structure. You’ve then added the new Domain Accounts and cloned the permissions from each of the old accounts to their corresponding new account.
Now you need to test and make sure all those users can still see and access all the credentials that have been granted permission to. Only when you’re comfortable, that all data is accessing by those that should have it, should you delete the old Passwordstate instance.
If you’d like to share your feedback please send it through to support@clickstudios.com.au.