5 Replies Latest reply on Sep 16, 2019 8:38 AM by Alessandro Ghezzi

    BCM emergency windows admin account

    Dominik Kress
      Share This:

      Hi,

       

      I see the following case at a couple of our customers:

       

      Employee calls in at the ServiceDesk and needs local administrative rights on his device for "reasons". Often the ServiceDesk employee doesn't have the rights to grant the user specific rights and even if the ServiceDesk employee has the rights it could happen that this change won't be undo. By this the local administrative rights spread across the company. Of course with BCM we are able to identify local administrative account or account which are member of the local administrator groups.

      Since the numbers of mobile workers is getting bigger and bigger the customers needs a solution which will also work if the device is not connected with VPN or is not able to process the group policies.

       

      At the moment I am working on an extension for BCM with which BCM is able to create a user account and add it to the local administrator group (any group, but local administrator group is the original idea) with an random password which will be stored encrypted in the custom inventory. In addition to this there will be a small program where you could paste the encrypted value to decrypt it.

       

      By this mechanism a service desk employee is able to create a local admin account on any device where the BCM agent is installed with a random password to give it to a non it-employee. As soon as the operational rule is re-run a new password is generated and stored in the custom inventory. The old password which was told the non it-employee is now useless.

       

      This could now be combined with the scheduling options for operational rules. As an example the OR should be run on startup or every day or every week. Depending on the needs of each customer.

       

      Another option would be to deploy the emergency admin / operational rule to all windows client devices and store the encrypted password already in BCM. By this whenever a user needs to have this sort of emergency access on his device there won't be any waiting between OR assignment and custom inventory update.

       

      And since BMC added the inventory to the web console the service desk employee needs only have access to the web console. And may be more important a second small program to encrypt the password. Or if you are using additional products like FPSC, CMDB and so on you could easily import the data directly into them and by this the servicedesk employee doesn't even need to have access to the BCM web console.

       

      Screenshot from the web console:

      2019-09-13_13-15-37.png

       

       

      Screenshot java console:

      2019-09-13_13-17-42.png

       

       

      Screenshot password decryption interface:

      2019-09-13_13-18-50.png

       

       

      Normally if we create extensions for BMC ClientManagement we will only offer them to our customers in Germany but in this special case I thought that there are may some BCM customers who have the exact same requirement. If this is correct for your environment just leave a comment in this discussion and I will keep it up-to-date once we have a final release.

       

      Required BCM licenses: Inventory & Deploy

       

      Regards,

      Dominik

        • 1. Re: BCM emergency windows admin account
          Steve Gibbs

          Great article Dominik!

           

          I too use this feature when I teach new customers about the "power" of BCM.  I do it a bit differently as I am sure many others do too.  I have an op rule which creates the account and adds to Administrators group.  I call it "rent and admin account".  I assign it to the end points but prevent it from running. This way the scripts are staged. I then create another Op Rule that executes the first rule and publish to MyApps (runs faster). The first rule will present a message window with the logon/password to use for this temp account and have a countdown timer set (wait)…  for 30-60 minutes...  After the wait time completes the account is deleted. This way the account does not stay on the box thus causing a "fail" for some audit requirements to not have local admin accounts. The concept is the user can have an elevated account only when it is required and can run it on demand and it is temporary. I would also suggest running a Software Inventory just as precaution in case the user has decided to install software that may not be on the approved list.

           

          I really like your encrypting the password method. I am looking forward to your final post where you provide the total package.

          • 2. Re: BCM emergency windows admin account
            Dominik Kress

            Hi Steve,

             

            Thank you for your feedback.

             

            I too use this feature when I teach new customers about the "power" of BCM.  I do it a bit differently as I am sure many others do too.  I have an op rule which creates the account and adds to Administrators group.  I call it "rent and admin account". 

             

            I do nearly the same "trick" with the build in mechanic for new customers .

             

            The idea behind this extension is that the mechanism will generate a random password for each account on each device and stores the encrypted information in BCM. No need for extra documentation of passwords and still one operational rule for all devices. And it should be encrypted since customers may or may not have to provide the database to their support partners.

             

            The customers I've worked with didn't like the idea to use the same local admin password on every device and they wanted to have a service request logged in their Helpdesk / Servicedesk / ITSM system. Of course this also could be easily automated with e.g. Footprints Self-Service in combination with BCM but not all of our BCM customers are using a ITSM system from BMC.

            1 of 1 people found this helpful
            • 3. Re: BCM emergency windows admin account
              Steve Gibbs

              Totally agreed and that is why your solution to encrypt password and randomize is FANTASTIC! Could be better than LAPS and at very least offers more customization options.

               

              Thanks Dominik and awaiting more info as you continue to work this solution.

              • 4. Re: BCM emergency windows admin account
                Dominik Kress

                Steve,

                 

                Thank you very much for your feedback. I wasn't thinking about LAPS in this case. The idea was more specific to a "custom" user who has administrative rights. But since the work with the encryption and also with a small decryption utility I will create an additional program which is able to reset the password to a random password of the local administrator. So customers are able to randomize / inventory their local administrator passwords and are able to have a secure and standardized process for all devices and not only domain members.

                 

                And if used with BCM they are able to change the password in a specific interval (e.g. each 30 days) and document it without the need of anyone doing something manually.

                • 5. Re: BCM emergency windows admin account
                  Alessandro Ghezzi

                  Great article Dominik, this is really interesting!