Managing Local Windows Users and Groups
You can manage your local Windows users and groups, if desired. This way, you can centrally manage the accounts.
Overall, to manage local users and groups on Windows systems, you'll need to
-
Install the Agent for Windows on each Windows system where you want to manage local accounts.
-
Enable local account management on those Windows systems in the Privilege Elevation settings for the agent. For details, see Enabling Windows local account management.
-
In Access Manager, you can then add, edit, or remove local users and groups. For details, Adding local Windows accounts and Removing local Windows accounts
-
Manage the passwords for local Windows accounts. For details, see Creating and managing local Windows user passwords.
- Use group policies to manage local Windows accounts. .
Adding Local Windows Accounts
Before you enable local account management on your Windows computers, add the local users and groups in Access Manager.
{b}Note: {/b}If you first enable local account management with the enforce option and if you have any existing local accounts on that system but not defined in a zone, then the service will remove those local users during the next synchronization. Built-in local Windows accounts are not removed.
To add a local Windows user:
-
In Access Manager, navigate to either a zone or a Windows computer and go to Windows Data
-
Right -click Local Users and select Add User to Zone or Add User, depending on where you're adding the user.
-
Enter the user name and click OK.
-
Specify the attributes for the local Windows user:
-
Full name: The first and last name of the new local Windows user.
-
Description: A description of the user.
-
State: Specify one of the following:
-
Enable: Set the state to Enable for a local Windows account that is in use.
-
Disable: Set the state to Disable for a local Windows account that is not in use.
-
Remove: If you've chosen not to enforce local account management, mark the user as Remove and the service will remove the user at the next synchronization interval.
{b}Note: {/b}The service will not remove any built-in local Windows accounts, even if you mark it as Remove in Access Manager.
-
-
Password options: If desired, select any of the following:
- User must change password at next logon: The service will force the local Windows user to change the account password the next time that the user logs in to the computer. Note that this option applies only to new accounts.
- User cannot change password: The user won't be able to change the password.
- Password never expires: The user's password will never expire.
-
-
Click OK to save your changes.
The new user will be available on the affected systems after the next local account synchronization.
To add a local Windows group:
-
In Access Manager, navigate to either a zone or a Windows computer and go to Windows Data
- Right -click Local Groups and select Add Group to Zone or Add Group, depending on where you're adding the group.
- Enter the group name and click OK.
-
Specify the attributes for the local Windows group:
-
Description: Enter a description of your choice.
-
Members: Click Add to launch the Add Members dialog. In a comma-separated list, type the names of the users who will be in the group.
Note that Access Manager does not check the validity of the user names that you provide. You should ensure that all of the names that you provide are local Windows user names that currently exist.
-
State: Specify either Enable or Remove.
- Enable: Set the state to Enable for a local Windows account that is in use.
- Remove: If you've chosen not to enforce local account
management, mark the group as Remove and the service will remove
the group at the next synchronization interval.
-
-
Click OK to save your changes.
The new group will be available on the affected systems after the next local account synchronization.
Enabling Windows Local Account Management
You can have IBM Security manage your local Windows user and group accounts; to do so, you need to enable and configure a few settings. Install the agent and enable local account management on each Windows system where you want to manage local accounts.
Be aware that if you enable local account management, the service does not delete any built-in Windows users or groups, even if you mark one of those accounts for remove.
{b}Note: {/b}Windows local account management is not supported on domain controllers.
To configure local account management for Windows:
-
From the Privilege Elevation Service Settings dialog box Local Account Management tab, click Configure.
The Local Account Management Configuration dialog box opens.
-
Select the Enable local account management option.
-
Select Yes to enforce local account management or No to not enforce local account management.
Enforcing local account management means that after you remove a local Windows user or group from Access Manager, the service will remove the local user or group from the computer after the next synchronization.
If you choose not to enforce local account management, in order to remove a user you mark it as removed rather than explicitly removing the account from Access Manager.
-
Specify a script that will run when the service synchronizes local account information with Access Manager and the affected computers. The script can set the passwords for the local accounts and also display a list of enabled, disabled, or removed users.
For details, see Creating and managing local Windows user passwords.
There is a sample script provided that you can use as a starting point:
C:\Program Files\Centrify\Agent for Windows\SampleNotification.ps1
The script will run after each synchronization of local accounts when the any of the following have occurred:
- New local users are added
- Local users are enabled
- Local users are disabled
- Local users are removed
-
Specify a synchronization interval.
This interval controls how often the service synchronizes local account information between Access Manager and the affected computers. The default is 60 minutes.
-
Click OK to save your changes and close the dialog box.
Creating and Managing Local Windows User Passwords
After you create local Windows users, you still need to assign a password to each user. Instead of manually setting the passwords in Local Users and Groups, you'll set up the initial passwords for your local user accounts by way of a PowerShell script.
There is a sample script provided that you can use as a starting point:
C:\Program Files\Centrify\Agent for Windows\SampleNotification.ps1
In general, the script should both set passwords and notify you of changes in local accounts. The script will run after each synchronization of local accounts when the any of the following have occurred:
- New local users are added
- Local users are enabled
- Local users are disabled
- Local users are removed
Typically, the script should perform the following user account tasks:
- Assign a random password to newly provisioned local users.
-
Provide the user account information, including the generated passwords, to your password management solution.
After you have the script set up, you can use group policy to automatically run it. .
How you set up the passwords and the script depends on if you're using a password management system or not. Below are the ways you can set up local user passwords.
Use Privileged Access Service to manage local Windows account passwords:
-
Register for Privileged Access Service.
-
Download the Client for Windows software package.
-
On each Windows computer where you will assign passwords to local users, run the cenroll command to register the computer as a managed resource.
-
Create a PowerShell notification script that runs on each of these Windows computers, gives each user a random password, and sends the password to Privileged Access Service.
In the script, you can set it to run the cset account command to send the password to Privileged Access Service.
-
Using one of the following two methods, configure the notification script to run after the agent synchronizes local account information:
-
In the local account management settings for the agent
Agent settings > Local Account Management tab > Configure > Local Account Management Configuration dialog box
-
In the group policy
(Settings > Windows Settings > Local Account Management > Notification Command Line)
-
Use a third-party system to manage local Windows account passwords:
-
Create a PowerShell script that runs on each of these Windows computers and gives each user a random password.
-
Include a section in the script that submits the passwords to the password management product for storage and maintenance.
-
Using one of the following two methods, configure the notification script to run after the agent synchronizes local account information:
-
In the local account management settings for the agent
Agent settings > Local Account Management tab > Configure > Local Account Management Configuration dialog box
-
In the group policy
(Settings > Windows Settings > Local Account Management > Notification Command Line)
-
Removing Local Windows Accounts
If you have enabled local account management on a Windows system, there are two different ways to remove users. Your approach depends on if you've configured to enforce local account management or not.
Be aware that if you enable local account management, the service does not delete any built-in Windows users or groups, even if you mark one of those accounts for remove.
To remove a local Windows user or group if local account management is enforced:
-
In Access Manager, right-click the user or group and select Delete.
The account is removed from Access Manager immediately. When the service next synchronizes local account information, the service removes the user or group from the affected Windows systems too.
To remove a local Windows user or group if local account management is not enforced:
-
In Access Manager, right-click the desired user or group and select Change Profile State, then select Remove.
The account is marked as "Remove" and remains visible in Access Manager. When the service next synchronizes local account information, the service removes the user or group from the affected Windows systems too.