Configuration

Configuration of PDS service is maintained in PDS.config file. Service recognizes configuration parameters as specified in table below.

Note: This file is created upon first start of PDS service with default values. Changes then can be made either manually, or via PowerShell cmdlets. File content is preserved during uninstalls and upgrades of PDS service.

PowerShell cmdlets that modify content of PDS.config file are:

Supported Forest management:

  • Add-AdmPwdPdsSupportedForest
  • Set-AdmPwdPdsSupportedForest
  • Remove-AdmPwdPdsSupportedForest

Managed Accounts Containers:

  • Add-AdmPwdPdsManagedAccountsContainer
  • Set-AdmPwdPdsManagedAccountsContainer
  • Remove-AdmPwdPdsManagedAccountsContainer

SID Mappings:

  • Add-AdmPwdPdsSidMapping
  • Set-AdmPwdPdsSidMapping
  • Remove-AdmPwdPdsSidMapping

Access control configuration:

  • Set-AdmPwdPdsAccessControlParameters

Autodiscover DNS SRV record publishing:

  • Set-AdmPwdPdsDnsParameters

PDS Admin Role management:

  • Move-AdmPwdPdsAdminRole

License file location and name:

  • Set-AdmPwdPdsLicenseParameters

It's strongly recommended to use PowerShell cmdlets to modify configuration of PDS, rather than editing PDS.config manually.

All cmdlets above allow effective update of configuration of multiple PDS instances via pipelining, such as: Get-AdmPwdPds | Set-AdmPwdPdsSupportedForest .... This further simplifies configuration management and helps keep configuration standardized across machines.

Table below specifies PDS service configurable parameters.

Parameter Meaning Note
Pds - Dns – Autodiscovery - RegistrationInterval Interval for DNS SRV record refresh, in seconds. PDS automatically refreshes its own SRV record to prevent expiration

Default: 86400 (1 day)
Setting to 0 disables SRV record registration and refresh. This is useful in environments where PDS service account does not have permission to write to DNS.
Pds - Dns – Autodiscovery - UnregisterOnShutdown Whether PDS shall unregisters its own DNS SRV record during service shutdown

Default: False
Pds - Dns – Autodiscovery - Priority Priority of SRV record being created by instance of PDS

Default: 100
Pds - Dns – Autodiscovery - Weight Weight of SRV record being created by instance of PDS

Default: 100
Note: PDS discovery logic implemented in Integration SDK ignores weight of SRV records – thus does not perform load balancing
Pds - Dns – Autodiscovery - TTL TTL of registered SRV record, in seconds

Default: 1200 (20 minutes)
Pds - Dns – Autodiscovery – DomainsToPublish – Domain - DnsName DNS name of domain where PDS shall publish own SRV record

Default: Empty list which means that PDS registers SRV recordin ow domain only.

When specified, PDS registers SRV record in specified domains only. PDS own domain must be listed as well so as PDS would register SRV record there.
If no domain specified, PDS registers SRV record in own domain only.
Pds - Keystore Identifier of assembly implementing keystore for key pairs.

Do not change parameters here unless you know what are you doing.

PDS supports extensibility and different implementations of keystore.

Note: Default keystore that comes with the solution is of type AdmPwd.PDS.KeyStore.FileSystemKeyStore and is implemented in main PDS executable.
Pds – AccessControl - HonorFullControlPermission

Specifies whether or not to honor Full Control permission on computer/user object when performing authorization checks for password reads and resets.

When set to TRUE, users who have Full control permission on computer objects can read and reset local admin password even when they are not given explicit permissions as specified in Extended Rights specification

Default: False
(Full control right on AD object does NOT give permission to read/reset admin password)
Pds – AccessControl - SidMappings Maps primary SID (from PDS forest) to SID from untrusted forest managed by PDS. Used to support access control when accessing untrusted AD forest

Default: Empty list

Use PowerShell to manage configuration of SID mappings
Pds – AccessControl - MandatoryGroups - Group - Sid Contains list of SIDs of groups caller has to be member of so as requests for password read and reset was honored. Works as additional protection layer in additions to standard Read/Reset password. Used to enforce Authentication Mechanism Assurance

Default: Empty list, which means that this additional layer of protection is not active
Pds – PDSAdmin - Role Name of AD group implementing PDS Admin role

Default: Enterprise Admins

Note: PDS Admin role is allowed to perform the following operations:

  • Generate new encryption/decryption key pairs
  • Maintain alternate credentials to authorize PDS access to remote forests
  • Maintain list of Supported Forests, Managed Accounts Containers and SID mappings
Pds – License – File Path to license file that unlocks the solution from freeware mode

Default: license.xml

Relative to PDS folder; so, by default, PDS looks for license.xml file in %ProgramFiles%\AdmPwd\PDS

Can be also:

  • an absolute path
  • UNC path
Pds – SupportedForests – Forest - DnsName List of forests managed by PDS. When missing, only local forest where PDS is installed is supported.

Default: Not present, which means that PDS manages only its own AD forest.

Forest can contain registration of connection credentials:

  • User: username
  • Password: password for user specified in username; encrypted by PDS encryption key
  • KeyId: ID of key that was used to encrypt the password

Note: When alternate creadentials not specified, PDS uses identity of own service account to authenticate access to remote forest.
Note: Local PDS forest is always supported and does not support alternate credentials.
PDS - FileSystemKeyStore – Path Path where keystore stores key pairs

Default: CryptoKeyStorage
Relative to PDS folder; so, by default, PDS looks for key pairs in %ProgramFiles%\AdmPwd\PDS\CryptoKeyStorage Can be also:

  • an absolute path
  • UNC path
PDS - FileSystemKeyStore – PathType Whether path is absolute or relative

Default: Relative

Possible values: Absolute, Relative
PDS - FileSystemKeyStore – CryptoForNewKeys Cryptography used to generate new encryption/decryption keys

Default: CNG

Possible values:

  • CNG
  • CryptoAPI

Note: Support for new keys generated by CryptoAPI is maintained for compatibility only, and ability to generate new keys using CryptoAPI will be removed in future versions. However, PDS will still be able to decrypt passwords encrypted with CryptoPAPI keys
PDS - FileSystemKeyStore – FavorOAEP Whether to try try OAEP padding first or PKCS padding first on decryption.

Note: This setting is for compatibility only and will be removed in future versions.

Default: true
PDS - FileSystemKeyStore – SupportedKeySizes – add – KeySize List of supported key sizes when creating new key pair PDS only allows to create key pair with one of the specified key sizes
PDS - ManagedAccounts - PasswordManagementInterval  How often PDS looks for expired passwords of Managed Domain Accounts in registered Managed Accounts Containers  

Default: 600 seconds
PDS - ManagedAccounts - Containers - Add - DistinguishedName DN of container when PDS looks for Managed Domain Accounts to manage password for

Default: Empty list

Use PowerShell to manage configuration of Managed Accounts Containers
PDS - ManagedAccounts - Containers - Add - PasswordAge Password age for Managed Domain Accounts in given container, in minutes.

Default: 43200 minutes (30 days)
PDS - ManagedAccounts - Containers - Add - KeyId ID of encryption key to use to encrypt the password of Managed Domain Account in given container

Default: 0, which means most recent key managed by keystore
PDS - ManagedAccounts - Containers - Add - PasswordComplexity Required complexity of password for Managed Domain Accounts in given container

Allowed values:
Large .. Large letters
LargeSmall .. Large and Small letters
LargeSmallNum .. Large and Small letters and Numbers
LargeSmallNumSpec .. Large and Small letters, Numbers and Special characters

Default: LargeSmallNumSpec
ManagedAccounts - containers - add - passwordLength Required length of password set by PDS on Managed Domain Accounts in given container

Default: 12

Sample of configuration file:

<?xml version="1.0" encoding="utf-8"?>
<PDS xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <SupportedForests>
    <Forest DnsName="myRemoteForest.com" />
  </SupportedForests>
  <Dns>
    <Autodiscovery UnregisterOnShutdown="true" RegistrationInterval="86400" Priority="100" Weight="100" TTL="1200">
      <DomainsToPublish>
        <Domain DnsName="myRemoteForest.com" />
      </DomainsToPublish>
    </Autodiscovery>
  </Dns>
  <KeyStoreType Assembly="AdmPwd.PDS" TypeName="AdmPwd.PDS.KeyStore.FileSystemKeyStore" />
  <AccessControl HonorFullControlPermission="false" HonorAllExtendedRightsPermission="false" HonorLocalGroupsFromRemoteComputerDomain="false">
    <SidMappings>
    </SidMappings>
    <MandatoryGroups />
  </AccessControl>
  <PDSAdmin Role="Enterprise Admins" />
  <License File=".\license.xml" />
  <FileSystemKeyStore Path="CryptoKeyStorage" PathType="Relative" CryptoForNewKeys="CNG" FavorOAEP="true">
    <SupportedKeySizes>
      <add KeySize="2048" />
      <add KeySize="3072" />
      <add KeySize="4096" />
    </SupportedKeySizes>
  </FileSystemKeyStore>
  <ManagedAccounts PasswordManagementInterval="600">
    <Containers>
      <add DistinguishedName="OU=Managed Domain Accounts,DC=mydomain,DC=com" PasswordAge="43200" KeyId="1" PasswordComplexity="LargeSmallNumSpec" PasswordLength="13" PasswordHistory="true" PasswordHistoryLength="3" />
      <add DistinguishedName="OU=Managed Domain Accounts,DC=myRemoteDomain,DC=com" PasswordAge="43200" KeyId="1" PasswordComplexity="LargeSmallNum" PasswordLength="16" PasswordHistory="false" PasswordHistoryLength="0" />
    </Containers>
  </ManagedAccounts>
</PDS>