AdmPwd.PS Management Module

Updated: 25 Dec 2020

Description

Module provides full user and management capabilities for AdmPwd.E solution.
User capabilities include:

  • Reading of managed passwords (local admins and manageged domain accounts)
  • Reset of managed passwords (planned in the future or immediate)
  • Management of password history length for managed local admin accounts

Management capabilities include:

  • AD Schema update
  • Delegation model maintenance
  • Generation of new encryption keys
  • PDS management
  • Environment statistics

AdmPwd.PS Cmdlets

Add-AdmPwdPdsManagedAccountsContainer

Adds configuration of AD container with accounts with automatically managed passwords to configuration of PDS.

PDS manages managed domain accounts in specified AD containers (typically OUs).
Each container has specific configuration for passwords (complexity, age, encryption key, etc.).
All user accounts in container are subject of automatic password configuration.
Configuration of managed accounts containers is stored in PDS configuration file.

Add-AdmPwdPdsSidMapping

Adds mapping of SIDs from untrusted forest to SID from PDS forest.

PDS supports management of untrusted forests.
However, for management of untrusted forests, the following prerequisites must be configured:

  • Explicit credentials for PDS to use when accessing intrusted forest
  • Mapping of SID from untrusted forest to SIDs from PDS forests.

SID mappings are used for access control - User who wants to read or reset password must have his/her own SID (own SID or SID of group he/she is member of) 'paired' with SID that has been delegated the permission for password read/reset in untrusted forest. SID mapping is used to establish this pairing of SIDs.

Add-AdmPwdPdsSupportedForest

Adds registration of supported AD forest for management to PDS configuration (optionally with connection credentials for the forest).

Get-AdmPwdADSchema

Gets AD schema attributes for the solution and their schema GUIDs.

Get-AdmPwdCredential

Returns credential for local admin or managed domain account, and optionally schedules reset of retrieved password.

Get-AdmPwdEnvironmentStatus

Returns staus information about environment managed by the solution.

Get-AdmPwdKeySize

Returns supported key sizes for solution

Get-AdmPwdManagedAccountPassword

Retrieves password for given managed domain user account.

Get-AdmPwdPassword

Finds admin password for given computer.

Get-AdmPwdPds

Lists all discovered PDS instances along with their parameters.

Get-AdmPwdPdsAccessControlParameters

Returns parameters of PDS service related to access check process.

Get-AdmPwdPdsAdminRole

Returns name of AD group that has role of PDS Administrator.

Get-AdmPwdPdsDnsParameters

Returns parameters of PDS service related to registration of PDS autodiscovery SRV record.

Get-AdmPwdPdsLicenseParameters

Returns parameters of PDS service related to license of product.

Get-AdmPwdPdsManagedAccountsContainer

Gets all defined managed accounts containers from configuration of PDS.

PDS manages managed domain accounts in specified AD containers (typically OUs).
Each container has specific configuration for passwords (complexity, age, encryption key, etc.).
All user accounts in container are subject of automatic password configuration.
Configuration of managed accounts containers is stored in PDS configuration file.

Get-AdmPwdPdsManagedAccountsParameters

Returns parameters of PDS service related to management of Managed Domain Accounts.

Get-AdmPwdPdsSidMapping

Gets mapping of SIDs from untrusted forest to SID from PDS forest from PDS instance.

Get-AdmPwdPdsSupportedForest

Lists supported AD forests from PDS configuration.

Get-AdmPwdPublicKey

Gets public key with given ID.

Get-AdmPwdPublicKeys

Returns all public keys managed by PDS instance.

Get-AdmPwdUserPermissions

Finds permissions that specified user has on specified AD object (computer or user account).

Move-AdmPwdPdsAdminRole

Sets a group as PDS Admins role group.
Members of this role have permission to manage configuration of PDS.

New-AdmPwdKeyPair

Generates new key pair in Password Decryption Service.

Remove-AdmPwdPdsManagedAccountsContainer

Removes configuration of AD container with accounts with automatically managed passwords from configuration of PDS.

PDS manages managed domain accounts in specified AD containers (typically OUs).
Each container has specific configuration for passwords (complexity, age, encryption key, etc.).
All user accounts in container are subject of automatic password configuration.
Configuration of managed accounts containers is stored in PDS configuration file.

Remove-AdmPwdPdsSidMapping

Removes mapping of SIDs from untrusted forest to SID from PDS forest.

Remove-AdmPwdPdsSupportedForest

Removes registration of supported AD forest for management from PDS configuration.

Reset-AdmPwdManagedAccountPassword

Requests reset of password for given managed domain account. Password is reset by PDS upon next cycle od password management (within 10 minutes by default)

Reset-AdmPwdPassword

Requests reset of local admin password for given computer (either immediate or planned for future).

Set-AdmPwdComputerSelfPermission

Gives computers permission to report passwords of their local admin accounts to AD.

Set-AdmPwdPdsAccessControlParameters

Sets parameters of PDS service related to access control decisions for password reads and resets.

Set-AdmPwdPdsDeletedObjectsPermission

Delegates necessary permissions to Password Decryption Service accounts on Deleted Objects container in specified domain.

Set-AdmPwdPdsDnsParameters

Sets parameters of PDS service related to registration of PDS autodiscovery SRV record.

Set-AdmPwdPdsLicenseParameters

Sets parameters of PDS service related to access control decisions for password reads and resets.

Set-AdmPwdPdsManagedAccountsContainer

Updates PDS configuration of AD container with accounts with automatically managed passwords.

PDS manages managed domain accounts in specified AD containers (typically OUs).
Each container has specific configuration for passwords (complexity, age, encryption key, etc.).
All user accounts in container are subject of automatic password configuration.
Configuration of managed accounts containers is stored in PDS configuration file.

Set-AdmPwdPdsManagedAccountsParameters

Sets parameters of PDS service related to management of Managed Domain Accounts.

Set-AdmPwdPdsManagedAccountsPermission

Delegates necessary permissions to Password Decryptor Service (PDS) service accounts, so as it is able to manage and retrieve password of managed domain user accounts.

Set-AdmPwdPdsPermission

Delegates necessary permissions to Password Decryptor service accounts.

Set-AdmPwdPdsSidMapping

Updates mapping of SIDs from untrusted forest to SID from PDS forest.

Set-AdmPwdPdsSupportedForest

Updates registration of supported AD forest for management in PDS configuration (optionally with connection credentials for the forest).

Set-AdmPwdReadPasswordPermission

Delegates the permission to read passwords of local admin account of computers in given AD container.

Set-AdmPwdResetPasswordPermission

Delegates the permission to request reset of passwords of local admin account of computers in given AD container.

Update-AdmPwdADSchema

Prepares AD schema for the solution in local forest. Must be executed in every AD forest that is supposed to host computers of domain user accounts that have password managed by AdmPwd.E solution.

Update-AdmPwdPasswordHistory

Maintains records in password history for given computer account in AD.