Setting up password changing on Michrosoft Windows system

This topic contains an example of setting up password changing to Microsoft Windows account over WMI.

Note

Windows WMI password changer

Using Windows WMI password changers requires granting sufficient permissions to regular users.

  • Run the winrm quickconfig command to detect any potential issues, turn on the LocalAccountTokenFilterPolicy option and unblock ports on internal firewall.

  • In case the winrm is unavailable, execute the following command cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

    Additionally, unblock WMI and DCOM ports and change the network interface type to Office network.

If neither of the above has brought expected results, the administrator must explicitely asign users and groups priviledges to WMI or DCOM using wmimgmt.msc and dcomcnfg:

Adding a password change policy

  1. Select Management > Password changers.
  2. Click Add to create a new password changing policy.
../../_images/psswd_chngr_list.png
  1. Provide password change policy name.

Note

Provide a descriptive name so that anyone administrating Wheel Fudo PAM can tell what the policy does at a glance. E.g. 10 minutes, 20 characters, special characters, uppercase.

  1. Select Password change enabled and define how frequently the password will be changed.
  2. Select the Password verification enabled and define how frequently the Secret Manager should verify whether the password has not been changed in any outher way but the Secret Manager itself.
../../_images/add_chngr_general.png
  1. Provide the number of characters comprising the password.
  2. Select desired password complexity options and provide the minimal number of characters for each.
../../_images/add_chngr_requirements.png
  1. Click Save to store password changer policy.

Assigning password changer to the privileged account

  1. Select Management > Accounts.
  2. Find and click desired account object.
../../_images/accounts_list.png
  1. Provide the privileged account login in the Credentials section.
  2. Select with password from the Replace secret drop-down list.
  3. Provide privileged account password.
  4. Select your policy from the Password change policy drop-down list.
../../_images/edit_account_credentials.png
  1. In the Password changer section, select the Unix Account over SSH from the Password changer drop-down list.
  2. Provide superuser login credentials.
../../_images/edit_account_psswd_chngr.png

Note

Superuser account enables resetting the password in case the Secret manager detects that it has been changed by someone else.

  1. Click Save.

Related topics: