Random local admin password / emergency local admin with random password

Version 2
    Share This:

    Hi BCM Community,

     

    Based on requirements in the past I've created two small utilities for BMC ClientManagement. You'll find them attached to this document. On the side of BMC ClientManagement you need licenses for Inventory and Deployment. For the target devices on which the utilities will be run you have to have installed Powershell V5.1 and .Net Framework 4.8. Both are standard since Windows 10 1903.

     

    in the following article are the steps documented with which you'll import a software package with an operational rule.

    How to Export Software Distribution packages that have already been published to the master

     

    The zip file contains two operational rules and one software package. After importing the XML file and the software packages you'll have the operational rules "00 ACTION Randomize local administrator password R1 - CK7" and "00 ACTION Create temp. Admin R1 - CK7".

     

    Operational Rule: 00 ACTION Randomize local administrator password R1 - CK7

     

    This rule will change the password of any specified user to a random value and stores the username and the password in the custom inventory. At the second step you have to specify the affected user account. Depending on your language you may have to adjust the value. The functionality is not tied to the Active Directory and it could be run on any device.

     

     

    2020-08-10_10-37-37.png

     

    As soon as the rule is executed and the custom inventory for the target device is updated you'll find a new object - LocalAdministrator - at the custom inventory. If you want to change the object name just edit step 4 and please also step 3 of the operational rule. Depending on your usage you may also want to edit step 11.

     

    2020-08-10_11-00-13.png

     

     

    If the rule is executed on a recurring schedule you are not only able to set all you local administrator password to a random one but also you are able to do this automatically every week. It is also possible to use a dynamic group to fetch all devices which haven't changed the password in the last 10 days and assign the operational rule. So you could be sure that the password isn't older than 10 days.

     

     

    Operational Rule: 00 ACTION Create temp. Admin R1 - CK7

     

    With this rule you will be able to create an emergency user with a random password. Also you could specify to which local group the user account should be added. Of course the password will be stored in the custom inventory.

     

    In the operational rule at step 2 you are able to specify the username and the group where the user should be added. The username and the password will be collected by the operational rule and stored into the custom inventory. The reason for entering the group is that depending on the language of the OS you have to specify another group name for the local administrators group. The configuration in the operational rule you have imported is for german operating system. If your OS language is english you need to switch the group name to administrators.

     

    2020-08-10_12-14-53.png

     

    This could be used to create a local emergency administrator account which could be gave away. And as soon as the account isn't needed anymore the rule could be reassigned to create a new password.

     

    When the rule is executed and the custom inventory is updated you have a new object at the custom inventory which is called EmergencyAdmin. If it should have another name you could adjust the steps 3 and 4 (depending on configuration may also step 11).

     

    2020-08-10_12-37-28.png

     

    In addition you could also specify how long the account should be usable. If you want to set and expiration date you have to change the parameter -accountexpires from no to yes and also add at one of the following informations:

     

    -ex_days

    Number of days when the account should expire

     

    -ex_hours

    Number of hours when the account should expire

     

    Examples:

    create_user.exe -user eadmin -group administrators -plain yes -out reg -accountexpires yes -ex_days 10

     

    Will create the user eadmin which is member of the group administrators. The password will be saved without encryption. The account is usable for 10 days.

     

    create_user.exe -user eadmin -group administrators -plain yes -out reg -accountexpires yes -ex_hours 12

     

     

    Will create the user eadmin which is member of the group administrators. The password will be saved without encryption. The account is usable for 12 hours.

     

     

    The create_user.exe will remove the user account if it exists already. So if you want to implement such a mechanism in your environment you should consider to use an unused username.

     

    This two utilities could be used without charge.

     

    If you need the option to encrypt / decrypt the password please get in contact with me and you'll get an offer.

     

    If encryption is activated the custom inventory object looks like this:

     

    2020-08-10_13-02-22.png

     

    The encrypted string could be copied & paste into the decryption tool and decrypted:

     

    2020-08-10_13-03-18.png