(imported topic written by jpeppers91)
I have a user that forgot his password. How do I reset his account?
(imported comment written by SystemAdmin)
You’ll need to delete and recreate the user in the BES Admin tool.
It is possible to reset an account without using BES Admin but it requires that you store a backup set of key files for users:
(imported comment written by rharmer91)
I hope you guys (BigFix) plan on addressing the whole “account thing” in some upcoming version of BigFix. I realize there is a fair amount of code around this, but just what I don’t need in an enterprise is another user store with account resets to do. It would be nice if you could hit an LDAP directory.
Rich
(imported comment written by BenKus)
Hey Rich,
The BigFix user is essentially two users:
-
Database user (using SQL Server usernames or NT Authentication)
-
BigFix username / private key
In theory, we could just use #1, but that would eliminate our extra layer of security… and since BigFix Agents are often deployed company-wide, a security flaw that lead to compromise would be a major problem.
Note that you can use NT Authentication to control access to the BigFix database: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=282
But I think your point is clear that tighter integration with BigFix users and directory services would be a good thing. This is something that I have been advocating for a long time and this post is helpful for my case… The biggest problem is that all you guys keep asking for all sorts of new features, new products, and expanded functionality and it is hard to find room in the schedule for a relatively minor feature (in the eyes of most customers) that has a huge amount of work (and we would have to drop other features).
I will take these comments back to our product committee.
Ben
(imported comment written by jpeppers91)
How do you address accounts for employees who left? Since any fixlet content created by that user will be deleted if their account is deleted.
(imported comment written by BenKus)
Hey jpeppers,
I don’t think that is true… I believe the BES Admin digitally re-signs the Fixlet so it can stay active even if you delete the user… I will double-check… but have you experienced this in the past?
Ben
(imported comment written by jpeppers91)
No, but this is what I have been told.
(imported comment written by SystemAdmin)
Ben - Is this change user password function being addressed?
(imported comment written by BenKus)
Hey guys,
I checked on this and the design is:
- if a master operator is deleted, his/her Fixlets are resigned and stay around (because other people might be using them)
- if a normal operator is deleted, his/her Fixlets (that aren’t in custom sites) are deleted because they can’t be used by other people anyway…
If you want to save specific Fixlets from operators, you should export them before you delete the user.
Ben
(imported comment written by curth)
Since BigFix is creating User IDs (rather than using an existing directory - LDAP, AD, …), give us a way to at least manage them. Can you add a feature to BES Admin, that will allow Administrators the ability to reset the password embedded inside the Keys. Or give us a way to recreate these keys without deleting and recreating the user.
(imported comment written by BenKus)
Hey Curth,
The private key file itself is encrypted with the password so if you lose the password there is no way for anyone to be able to open the file and get to the unencrypted private key (if there was, it would be a security issue). We could delete the key and recreate a new one for you, but it would be an equivalent process to deleting and remaking the user.
Perhaps good news for you:
Have you seen the script we wrote that will sync up the users between and AD group and BigFix? The idea is that you make an AD group “BigFix Console Operators” and then you run the sync script. For any new user that you put in that group, you will be prompted to create a BigFix user. If the user is removed from the group, it will be removed as a BigFix Console operator. This isn’t everything you might want, but hopefully it is a step in the right direction. Contact me if you want more info.
Ben
(imported comment written by Shlomi91)
hi Ben,
certainly a step in the right direction… but the issue here is the password management part, which should also be addressed…
any chance on seeing this in a future Bigfix version?
Shlomi
(imported comment written by SystemAdmin)
Ben
I am very interested in the AD/ BES integration script. Where can I find that? Is that on the fixlet page?
Weber