Skip to main content
Question

Password Safe Directory Attribute Match

  • November 26, 2025
  • 2 replies
  • 9 views
C
Forum|alt.badge.img+3

We are using a SmartRule with the Selection Attribute Criteria “Directory Attribute Match” using the employeeID attribute to map privileged account as dedicated account for a user only.

 

This all works fine but we are worried if somehow the source system (e.g. AD) is messing with the data of this attribute employeeID, e.g. deleting the value (e.g. AD Admin not aware of that field, doing cleanup, etc.) or being tampered.

 

This privileged acount then would be exposed to all the users (with access to that Managed Account group).

 

How can this be prevented or found/reported which accounts may have an issue. I understand data quality is key here but with such a highly security related topic of privileged accounts one always has to assume that the source (AD) might be wrong and counter-measures must be possible on both side (source and consumer, i.e. PasswordSafe)

2 replies

Pulitros144
Forum|alt.badge.img+4
  • Pulitros144
  • Rising Star
  • November 26, 2025

@cschaller 

Your best scenario would be to monitor the AD. Any other solution would be less than satisfactory for what you desire. That way, when any change is made on that specific attribute on the AD, you would be notified and be able to correct it in a timely manner. Password Safe has no mechanism to alert you should an account stop belonging to a smart rule.

If you can’t monitor the changes on AD, you could enable the email alerts on that smart rule, and anytime a change is made on that account, you would be alerted. But that type of alert is usually for a password change or manual change, rather than the account not belonging to that smart rule anymore.

Or you could go the API route and create a script to read all dedicated account smart rules, get the accounts they belong to, import this to a TXT or CSV, and anytime a new account is added or is missing from the last 'scan,' you could notify yourself with an email alert from the script or anything like that.

But yeah, to be direct, your best way is to monitor your domain controller for any changes being made on the attribute being used for the dedication.

PS
C
C
Forum|alt.badge.img+3
  • cschaller
  • Author
  • Apprentice
  • November 26, 2025

Thanks for this great tip!

Pulitros144

Badge Earners

  • BCA: Password Safe
    HoudaELGASBIhas earned the badge BCA: Password Safe
  • BCA: Password Safe
    vigneshhvhas earned the badge BCA: Password Safe
  • BCIE: Endpoint Privilege Management - Windows
    NickZeehas earned the badge BCIE: Endpoint Privilege Management - Windows
  • BCIE: Password Safe
    NickZeehas earned the badge BCIE: Password Safe
  • BCIE: Privileged Remote Access
    NickZeehas earned the badge BCIE: Privileged Remote Access
Show all badges
Terms & ConditionsCookie settingsAccessibility statement