Skip to main content
Version: Axidian Privilege 3.0

Service Operations

Service Operations for Windows Resources

caution

If the management server components are installed on the Linux operating system, then the WinRM service must be configured over HTTPS on the Windows resource to perform service operations.

The following service operations are performed at Windows resources on behalf of the domain or local service account:

  • Checking of connection to resources
  • Synchronization of local accounts
  • Checking of local account passwords
  • Changing of local account passwords
  • Getting data about operating system
  • Getting list of security groups

Configuring a Domain Account as Service One

  1. Log in to resource
  2. Run the Computer management snap-in
  3. Switch to System toolsLocal Users and GroupsGroups section
  4. Open the context menu of Administrators group
  5. Select Properties item
  6. Click Add
  7. Select the domain account to be used as service one for the resource and click OK

Configuring a Local Account as Service One

If you plan to use local built-in administrator account as service account, then no additional configuration is required. Otherwise, proceed as follows:

  1. Log in to resource
  2. Run the Computer management snap-in
  3. Switch to System toolsLocal Users and GroupsGroups section
  4. Open the context menu of Administrators group
  5. Select Properties item
  6. Click Add
  7. Select the local account to be used as service one for the resource and click Ок
  8. Run Windows registry editor (RegEdit)
  9. Expand the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ branch
  10. Open the context menu of System section
  11. Select CreateDWORD (32-bit) Value
  12. Specify the parameter name — LocalAccountTokenFilterPolicy
  13. Open the context menu of LocalAccountTokenFilterPolicy parameter
  14. Select Modify item and set the Value data:  equal to 1

Registry editing is required due to restrictions on remote WinRM management for all local accounts except for built-in administrator account.

Configuring Axidian Privilege Core to Perform Service Operations on behalf of Local Resource Accounts

Service operations are performed using WinRM. To use local resource accounts as service one, you must add the resource to the TrustedHosts list of trusted ones on Axidian Privilege Core server.

Configuring the TrustedHosts List

  1. Log in to the server on which Axidian Privilege Core will be installed
  2. Run Command line (CMD) as Administrator
  3. Execute the following command:
C:\>winrm s winrm/config/client @{TrustedHosts="Resource1.domain.local, Resource2.domain.local"}

The specified resources shall be added to the TrustedHosts list.

caution

When adding new resources to the trusted list, you must specify previously added resources and new ones, since the new value overwrites the old one.

@{TrustedHosts="Resource1.domain.local, Resource2.domain.local, Resource3.domain.local"}

Service Operations in Active Directory

caution

If the management server components are installed on the Linux operating system, then LDAPS (LDAP over SSL) must be configured in the domain to perform service operations.

Account for service operations in Active Directory

  1. Start the Active Directory Users and Computers snap-in.

  2. Open the context menu of the Container or Organization Unit.

  3. Select Create → User item.

  4. Enter the name, for example, IPAMADServiceOps.

  5. Fill in the required fields and complete the creation of the account.

  6. Open the context menu of the container, organizational unit, or domain root.

  7. Select the Properties item.

  8. Go to the Security tab.

    info

    If there is no Security tab, then in the View menu, enable Advanced features.

  9. Click Add.

  10. Select IPAMADServiceOps account and click Ок.

  11. Click Advanced.

  12. Select IPAMADServiceOps and click Edit.

  13. For the field Applies to: set value Descendant User objects.

  14. In the Permissions: section check Reset password.

  15. Save all changes.

Service Operations for *nix Resources

The following service operations are performed at *nix resources on behalf of the local service account:

  • Checking of connection to resource
  • Searching for local accounts
  • Checking of local account passwords
  • Changing of local account passwords
  • Getting data about operating system
  • Getting list of security groups

Creating and Configuring a Service Account

  1. Log in to resource.
  2. Run Terminal.
  3. Create a user, for example IPAMService: 
    adduser IPAMService
  4. Add the user to SUDO group
    usermod -aG sudo IPAMService

Configuring a Group of Privileged Accounts

Automatic searching and adding of Access accounts to Axidian Privilege is performed based on their permission to execute a SUDO command. To grant the permission to execute SUDO command, you may need to edit the /etc/sudoers file.