How to use XTAM to reset or rotate a Windows password without knowing the current password
There may be times when you want to bring under management a Windows account that you currently do not know the password to. Such examples may be Windows accounts that are used for Service Log Ons, Application Pools or Installation and Administrative accounts that were created long before you were an employee of your business. And of course, it can be used in that unfortunate situation where the password was lost or forgotten.
XTAM provides tasks that will assist in managing and rotating passwords for Windows account in both scenarios; one where you have the full account credentials (task: Password Reset Remote Windows) and the other where you do not possess the account’s password (task: Password Set Remote Windows). To put it into simple terms, think of them like this:
- Password Reset Remote Windows will reset a Windows account password by a method that first specifies the current password and then issues a new password. Much like a user would do during a Windows Change Password exercise.
- Password Set Remote Windows will reset a Windows account password by issuing a new password without first supplying the current one. This replicates the process that an Administrator would take to reset a password on behalf of another account and is precisely why it can only be done with an Administrator account.
If you find yourself in this situation and need to automate the rotation of an account without the password, then follow through this procedure to configure your task in XTAM.
Create a new XTAM record using the Windows Host or any custom type you have that inherits from Windows Host
Enter a Name, Description (optionally), Host and Port for the Windows host where this account is a valid user.
In the User field, enter the account name.
Leave the Password field empty.
Click the Save and Return button.
Open the record’s Task menu by selecting Manage > Tasks.
Add the Task Password Set Remote Windows to this record by using one of these two procedures:
Add the Task directly to the record’s Record Type and allow inheritance to apply it to this record. This is the recommended approach.
Make this record’s Task unique by clicking the Make Unique button and adding the task directly to this record.
Once the task is applied, configure the task’s Policy to include the On Demand execution. In this example, we are going to manually execute the reset, however you can configure any additional policies including automated events as you need.
Add a Shadow Account that contains a user that is the member of this Windows host’s local Administrator group.
Click the Save button.
Return to the record, active the Execute dropdown and select our Password Set Remote Windows task.
On the next page, accept the current or generate a new password and then click the Schedule Job button to begin.
When the task executes, open the Job History tab and check the state. When the State is Complete, open the Details to ensure the operation completed successfully.
Return back to the Record’s page and observe that the password field now contains a valid password which is being managed by XTAM.
Now that we have successfully set the password for this account, you may return to the Task and update the policy so that this process can be automated.
Bulk Task Execution
You can also execute this or any task against several records by simply selecting the checkbox option for the records in their folder location then choosing the Bulk Actions > Execute menu option. Next, check the box next to the task name and then finally the Select button to execute this task against the chosen records.