Password Manager Pro (PMP) - Add a Resource and AD Accounts With Remote Password Reset Capability
This article shows the process for adding a new resource in Password Manager Pro with the necessary options for configuring remote password resets on Windows servers for domain accounts on that resource and then adding AD accounts to the existing Domain Resource, as well as adding service accounts for automatic password resets. A "resource" is any server, application, network device or an appliance that contains user accounts and passwords. It is possible to do remote password resets on non-Windows servers, but this article will only cover Windows.
- Add the Resource
- Share the Resource
- Add AD Accounts to the Domain Resource
- Add Service Accounts for Automatic Password Resets
1. Add a new inbound firewall rules on the Windows server for 172.18.1.87 for TCP on ports 135 and 445.
2. Add your IT group's password change service account (e.g., cts-pmpro-s) as well as the PMP service account (pmpro-s) to the local admin group on the Windows server.
3. In the Password Manager Pro console, click Add Resource and select Add Manually:
4. Complete the information to be added for the resource, including:
- A descriptive Resource Name - This name uniquely identifies a resource in PMP and therefore, must be distinct, as no two resources can have the same name. This field is mandatory as its value is used by PMP to identify the resources while performing various operations including password management.
- DNS Name / IP Address - Although this field is not a requisite for adding a resource, it is mandatory to have a valid DNS name or IP address to perform remote operations like remote password reset, account discovery and one-click login.
- Resource Type - Choose the type of your resource from the drop-down menu (the default value will be "Windows"). Based on the resource type, PMP uses unique procedures for password resets. For example, the password reset mechanism of Windows is not the same as that of Linux or Mac. This field also helps to organize your resources based on their type. You can also add a custom resource type by clicking the Add New option beside this field. You can enter a customized resource type in the next screen, such as an App or a printer (as mentioned earlier, anything that has a username and a password can be a resource! ), and then click the Add button as shown below.
- Group Name - Choose the name of the group you want to add this resource into, from the drop-down menu. For example, you can add all the Windows servers or Linux servers to a single resource group. You can also add a new group here by clicking the Add New option, giving a group name and clicking Add, and then choosing the same from the drop-down. Otherwise, you can leave this field to the default value (Default Group).
- Domain Name - use AD.UWM.EDU for Windows servers on the AD
- Password Policy - When PMP randomly generates passwords for accounts, they will be in compliance to the policy you choose here.
Then, click Save in order to add the resource.
5. The server resource should now appear in the resources list:
Share the Resource
1. In order for others to interact with a resource, you will need to share the resource with individual users in your unit or with an AD group. Sharing with a group is recommended. Select the resource then under Resource Actions for the resource, click Share With User Groups:
2. Find the group you want to share your resource with and click the Grant button:
If the group you would like to share with is not listed, please contact IAM at firstname.lastname@example.org.
Add AD Accounts to the Domain Resource
This process will show you how to add an AD account to the existing Domain Resource in Password Manager Pro.
1. Under Resources, click the Domain Resource item (for example, AD - Domain Resource - IAM or AD - Domain Resource - ITAI or AD - Domain Resource - CTS, depending on your area):
2. Once you are viewing the Domain Resource, click the Add button:
3. Enter the information for the account and then check the box next to Configure password reset for associated service accounts, scheduled tasks, IIS AppPool accounts and IIS web.config. Also, add any resource groups that contain resources that use the account:
4. Check the boxes for items in which you'd like password resets to be performed as well as which should be restarted upon password resets. Then, click the Add button:
5. You may continue adding additional accounts or click Save to finish:
6. The account should now appear in the list of accounts in the Domain Resource. Verify that the password is in sync by clicking the Account Actions drop-down on the account and selecting Verify Password:
7. If everything is correct, you should see a Password is in sync message:
Add Service Accounts for Automatic Password Resets
This process will show you how to add service accounts to automatically reset their passwords on the resource when the account password is changed.
1. In the Domain Resource account list, check the box next to the service account and click the Service Accounts button:
2. Click on Supported Service Accounts, then click the Fetch Now button:
3. You will see a list of Resources using the account and what service is using it. Click OK.