I’ve been tinkering around with a prototype site that would let you manage (view/create/edit/delete) local users within your deployment (I’m ignoring Active Directory users for now).
I am trying to figure out what the most common use cases are, and was hoping you guys might be able to provide some insight. What would your wishlist be for Local User Management support (beyond just securely deploying passwords through BigFix, which i will have in there ^_^)? What are your most common user management activities?
Any insight will be very helpful in deciding where i want to take this design. (Note that this is a highly experimental site, so it might not ever see the light of day).
We have something in house to help us with accounts:
Bulk account creations using user info from AD for creating accounts.
creates account based on naming convention, creates a backup of credentials, assigns strong password, and sets file permissions for the users signing key folder
What’s missing:
granting managed systems that is based on automatic groups
managing readers of external and readers and writers privs of custom sites.
Creating Web Reports account
Also Highly desired:
Reseting signing key password
reader / writer / management of systems based on a AD group membership. ( I know you want to exclude that for now, but even if it was decoupled and just had to be run as utility it would be progress )
Compliance: Local Admin Groups - report the membership and also enforce who can be members.
Mass password reset with a randomizer, not setting the local admin password the same on every computer. Password would then be stored on a database (encrypted) and can be access via a web portal(SSL). If you have rights to the computer than you can enter the computer name and retrieve the user-name and password. Password recovery tool for IT people when they can’t use domain credentials. When there is a turnover in IT staff you can run this on all your computers and never worry about having to remember the local admin password. (this gets a little beyond a local group management but I thought i would give you an idea for v 2.0 )
Those are all great suggestions, Stacy. The only thing I would add is auditing on that web portal where you can retrieve passwords (so that you know who retrieved what password).
Those are all great suggestions, Stacy. The only thing I would add is auditing on that web portal where you can retrieve passwords (so that you know who retrieved what password).
Great idea …
…then a task that becomes relevant to show this computer password has been retrieved and you can randomize it again.
As a practice and for security reasons we change the admin password once in month.
To implement this from GPO and as we are working in 24x7 environment , it requires system to be restarted after policy implementation which is a time consuming task in one go (it takes at least 1 week to complete the task).
Hence we thought to replace the same via BigFix, but due to “Security Exposure†mentioned in http://forum.bigfix.com/viewtopic.php?id=420 thread we are unable to implement the same.
Kindly suggest in case if you have any better way to achieve this via BigFix.
regarding the local admin password change, auditing and re-changing. integration with a privilege ID Mgmt tool (say Cyber-Ark) would be beneficial for workstations.
would like to see
ability to add AD users to Remote Desktop Users, Administrators and Power User groups.
ability to check it logged on user (local or AD user) has an administrative token.
I’d like to be able to remove members from the local administrators group with a whitelist.
Remove all members not-on-whitelist from group
Especially helpful if members and whitelist can include local users, local groups, domain users, and domain groups. Even more helpful if it can protect me from myself by not removing the primary administrator from the administrators group, regardless of that user’s current name.
Also might be useful for some to be able to rename the primary administrator without having to know its current name. (Not for me, we have a domain policy doing that.)
To see a way to change client passwords without the use of the “Local User Management” and instead using Secure Parameters & Client Mailboxing available in version 9 of BigFix/TEM/IEM, see the following:
)