Hello All,
How do you handle use cases where admins need to manually enter the managed account password multiple times in a day. These can be Workstation admins helping end-users directly on end-user workstations and manual entry of passwords is required . As the password rotates very frequently and is complex to remember or type in what is your approach .
We have a password manager that they can use on phone , so that they don’t need to carry their laptop or login to PS on end-user machine. We are exploring using Yubikeys or other device which can store partial password and admins can memorize a few characters. Yubikeys don’t allow to restrict storage based on number of characters though,.
Page 1 / 1
EPM-W, that way you can deal with the password necessity on the end-users endpoints, instead of a admin doing the work, you can just have a allow list for the own user to elevate the process.
PRA integration would work as well so the password could be inject credentials into the system. Refer to KB0018748.
Another idea would be to create an application and pass the credentials. Here is an example of SMSS KB0017273.
Hope this information helps.
Hello, thank you for you responses. I think I am unable to edit original post as I wanted to add some clarification. I see EPM is definitely one option, but there are some use cases where logged in user has to be member of local admin group or EPM agent can not be installed on the machine. PRA integration is helpful for remote access use cases, this requirement is more for in-person/physical access to the machine
EPM with Password Safe integration (if you are storing workstation Admin creds in password safe).
For the most part, EPM removes the need for Admin logon/membership.
For the edge case scenarios, we’ve also had customers ‘state’ local admin group memberships are necessary but have managed to work through most of those via EPM.
Hello, thank you for you responses. I think I am unable to edit original post as I wanted to add some clarification. I see EPM is definitely one option, but there are some use cases where logged in user has to be member of local admin group or EPM agent can not be installed on the machine. PRA integration is helpful for remote access use cases, this requirement is more for in-person/physical access to the machine
There are now a few options here that can be used for resolving your issues.
- Just in Time Admin on 24.7. Make the user a temp admin while you help the users with the needed tasks and end the Admin session on the EPM Tool when done.
- Password Safe integration, can allow to run a specific application in the context of a vaulted account that has local admin rights on the computer.
- I have seen a customer using a QR code scanner for USB, make a QR Code of password in the morning and just scans it when needing to type it in. think 49$
- If you have Jump Client on the machine and installs can be kicked off from a command shell
Then again I do not know the software but there are a few out there checking for the user being an admin also, but many of them have install switches to bypass the check. like oracle(miracle) -ignorePrereqs or something like that.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.