Symantec Privileged Access Management

Endpoint-based AD user password management using UNAB uxconsole

  • 1.  Endpoint-based AD user password management using UNAB uxconsole

    Broadcom Employee
    Posted 12-05-2018 10:49 AM

    AD user passwords can be reset form UNAB on a Unix endpoint, eliminating the need to always involve Windows Administrator in order to do it on the Windows side.   

    Just like in Windows itself, a privileged AD account must be used to perform the operation of updating someone else's password from Unix.  The accounts from the Administrative group can do that by default; however, the recommended method is to delegate password reset and user control read/write privileges to an ordinary account and use it is effectively as a Unix-side administrator assistant account. 

    That account does not need to have Unix attributes specified, i.e., it stays a pure AD account and "invisible" from Unix side.  ADUC MMC allows one to delegate necessary rights in Windows as a single task and only with a few clicks of the mouse. 

    Please see Microsoft articles for authoritative details, e.g., https://support.microsoft.com/en-us/help/296999/minimum-permissions-are-needed-for-a-delegated-administrator-to-force  .

     

    Here is an example with users from a domain different from the UNAB registration domain:

    admassistant  -   AD user who was delegated the right to reset other AD users' passwords;

    aduser2o      -   AD user who forgot his password and needs it to be reset

    othercorp.net -   domain where the above accounts are (the domain will need to be specified in this case since when a domain is omitted, the registration domain is assumed).

     

    /> uxconsole -krb -passwd -a admassistant@othercorp.net aduser2o@othercorp.net

    CA ControlMinder UNAB uxconsole v12.81.0.3338 - console utility
    Copyright (c) 2013 CA. All rights reserved.

    Password for admassistant@othercorp.net:
    New password for aduser2o@OTHERCORP.NET:
    Enter the new password again:
    Successfully changed password for 'aduser2o@OTHERCORP.NET'.

     

    And now let's verify the new password:

    /> uxconsole -krb -init aduser2o@othercorp.net
    CA ControlMinder UNAB uxconsole v12.81.0.3338 - console utility
    Copyright (c) 2013 CA. All rights reserved.

    Password for aduser2o@OTHERCORP.NET:
    Successfully authenticated to Active Directory. Credentials are in '/tmp/krb5cc_0'.