We are currently implementing CA ControlMinder 12.8 version. In our environment we have multiple types of servers on which we provisioned a backup account for emergency conditions . As per the Client's requirement, the password for this account should be automatically changed after every 30 days and should be same across all servers, ether windows or Linux . Need some help, how can we set a single password for multiple accounts created for different endpoints. ControlMinder will run the automatic rest task and will generate random password for all the accounts. Any help on this. Thanks in Advance.
Yes, ControlMinder has the ability to run a automatic reset task ( Based on the password policy), but assigns a random password.
I think ControlMinder cannot use a same password for different accounts.
Does the reply from Vinay answer your question? If yes, can you please mark it as correct answer?
As per our requirement, CA ControlMinder should set the one password for all users, but as per Vinay, ControlMinder would generate a new password for every user, which does not meets our requirement .
As Vinay said our tool doesn't have the ability to set the SAME generated password for all those accounts. We have the ability to set each account differently. I would suggest creating an Idea to have this feature added to future releases of Privileged Identity Manager.
Thanks for considering this. The idea is to set one password for accounts, in case ETNM is unavailable, an account (e.g. BACKUPUSER) which will be provisioned on all servers, will act as an emergency account , and provide backdoor entry to servers. So End User will user this account to login to the servers directly. The password for this emergency account (BACKUPUSER) should be same on all the servers . Other PIM tools do provide this functionality , but this seems to be missing in ControlMinder.
Any help on this, how can we achieve this in ControlMinder ?
Hello, So from what I understand you want to make a user named "backupuser" on every endpoint, have its password change every 30 days, but be the same on every endpoint.
This can be done with PMDB's. You would need to create a PMDB containing the user and its password, then subscribe all of the endpoints (including its self) to this PMDB. This will make every endpoint subscribed have the same username and password. When the password is changed on the parent PMDB the new password will be sent to all of the other endpoints and they will all then have the same password for that account again. If you are not familiar with PMDBs you can find info on them in the reference guide.
Basic steps on this process can be found at the very bottom of this page:
PIM/ControlMinder Reference guide:
hope this helps.
Apart from what has been suggested, in case you need to access the user in case of emergency, you can as well extract the password using the password extraction utility that is shipped along with the product.
Having the same password for the same account across the environment, I would consider this is a security threat rather than an feature. This would expose all your servers simultaneously at the same time to the user of this account.
Do let us know if you have any further queries regarding this.
Thanks and Regards,
Hi Reatesh ,
The idea of provisioning this account on all servers and having a common password is when in case the server on which ENTM is hosted is down, this account will be used to login to the servers. The password for this account will not be shared with every one but will be limited to few.
Thanks for providing the info, but this seems to be applicable on Unix servers. What about Windows Local Accounts ?
This would be a good feature for any endpoint type.
I am having the same request (to unify the password on local windows box for amount of time to preform a security test)
but the cannot find similar to sepass command on windows platform ...
and as Integrated HTML Documents sepass Utility—Set or Replace a Password ,,, as this command is valid only for unix.
you can try manual password reset. It will let you specify the password, but it must conform to the account password policy.