Purpose
The Quickpass Agent on a Domain Controller was originally installed with Local System to run the Quickpass Service and you want to change to Managed Service Account (MSA)
- "Local System" account may not have sufficient privileges to Read/Write to Active Directory.
- In order to have increased visibility to Security Audit logs to determine what actions are performed by the Quickpass Agent
Details
This CW RMM script will only complete on machines that have the Active Directory Domain Services running, and the Quickpass Agent is installed while running as Local System (i.e. Machines already running the Quickpass Agent service as MSA will be skipped).
Checks will be completed at the beginning of the script to rule out and skip machines that are not compliant.
For an overview of scripting basics in CW RMM, see this KB published at Connectwise University - Script Functions |
Implementation
Currently CW RMM does not contain an export/import function for Tasks. The following will outline, step-by-step, how you can create this Task in your own environment.
1. Navigate to CW RMM
2. In the navigation pane, select Automation > Tasks
3. Click Add > Script Editor
4. Define Task Name, Description, and Category as desired, then click Script Editor
5. Click Add Row > Function > PowerShell Script > paste the following script in the body:
# Define the service name
$serviceName = "NTDS"
# Check the service status
$serviceStatus = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
# Check if the service is running and assign "YES" or "NO" to $domaincontroller
if ($serviceStatus -and $serviceStatus.Status -eq "Running") {
$domaincontroller = "TRUE"
} else {
$domaincontroller = "FALSE"
}
# Output the value of $domaincontroller
Write-Host "Domain services running = $domaincontroller"
6. Click Add Logic > If/Then/Else, set as shown:
- Output > Contains > TRUE
7. In the IF statement, click Add Row > Function > Script Log > paste the following in the body:
"Domain controller detected."
8. In the Else statement, click Add Row > Function > Script Exit > paste the following in the body:
"Domain controller NOT detected, ending script."
9. Click Add Row > Function > PowerShell Script > paste the following script in the body:
# Specify the name of the service
$serviceName = "QuickpassServerAgent" # Replace with the name of your service
# Check the service's StartName
if ((Get-WmiObject -Class Win32_Service -Filter "Name = '$serviceName'").StartName -match "LocalSystem|NT AUTHORITY\\SYSTEM") {
Write-Host "TRUE"
}
10. Click Add Logic > If/Then > set as shown:
- Output > Does Not Contain > TRUE
11. Click Add Row > Function > Script Exit > paste the following in the body:
"Quickpass service NOT running as Local System, ending script."
12. Outside of the nested If/Then, click Add Row > Function > PowerShell script > paste the following in the body:
#Quickpass MSA Creation
#Updated 7.26.2022
#Prompt for Paramater if want to have specific name. Must be between 8 and 15 Characters long. If no value supplied a default name will be Generated with QPass and Date Values
param (
[Parameter(HelpMessage="Enter a name between 8 and 15 characters")][ValidateLength(8,15)]
${msamanual}
)
$qpmsa = if (${msamanual}) {${msamanual}}
Else {
$DCalc = $(get-date -f yyMMddhmss)
$qpass = "QPass"
$qpmsacalc = $qpass + $DCalc + $dcshort
$qpmsacalc.subString(0, [System.Math]::Min(15, $qpmsacalc.Length))
$qpmsa = $qpmsaCalc
}
write-host "The MSA Account will be created with the value $qpmsa"
#Get the FQDN of the Server
$dcn = [System.Net.Dns]::GetHostEntry([string]$env:computername).HostName
#Get the Short Server Name
$dcshort = hostname
#MSA Account Description
$MSADes = "Manually Created Quickpass MSA Account for $dcshort"
#Extract the DomainRoot
$Root = [ADSI]"LDAP://RootDSE"
$Domain = $Root.Get("rootDomainNamingContext")
#Testing to see if Managed Service Accounts Container Exists
$newou="Managed Service Accounts" # Type OU name and pass as variable
Write-Host -ForegroundColor Green "Checking if OU exist in $Domain"
$oucheck = [adsi]::Exists("LDAP://CN=$newou,$Domain")
if($oucheck -eq "True")
{
$text = "The Managed Service Accounts Container Exists in Active Directory"
Write-Host -ForegroundColor red $text.ToUpper()
$dmn = "CN=$newou,$Domain"}else
{$dmn = "CN=Users,$Domain"}
#Adding Quotes where required
$dmnquote = """$dmn"""
$dcshortcon = $dcshort+"$"
$QPmsaAcct = $qpmsa+"$"
#Updating Registry
Set-Itemproperty -path 'HKLM:\SOFTWARE\Quickpass Software\Quickpass Server Agent' -Name 'MSAName' -Value $qpmsa
Set-Itemproperty -path 'HKLM:\SOFTWARE\Quickpass Software\Quickpass Server Agent' -Name 'UseCustomMSA' -Value 1
Set-Itemproperty -path 'HKLM:\SOFTWARE\Quickpass Software\Quickpass Server Agent' -Name 'UsingMSA' -Value 1
#Create the MSA Account
Import-Module ActiveDirectory
Add-KdsRootKey -EffectiveTime ((get-date).addHours(-10))
New-ADServiceAccount -Name $qpmsa -Path $dmn -DNSHostName $dcn -Description $MSADes
Set-ADServiceAccount -Identity $qpmsa -PrincipalsAllowedToRetrieveManagedPassword $dcshortcon
#Add to Domain Admins
# Get the domain's SID
$domainSID = (Get-ADDomain).DomainSID
# Append the RID for Domain Admins (512) to get the full SID
$domainAdminsSID = "$domainSID-512"
# Add the account to the group
Add-ADGroupMember -Identity $domainAdminsSID -Members $qpmsaAcct
# Change service user name and password - Stop and Restart Service
#
$UserName = $env:userdomain+'\'+$QPmsaAcct
$Service = 'QuickpassServerAgent'
$svc_Obj= Get-WmiObject Win32_Service -filter "name='$Service'"
$StopStatus = $svc_Obj.StopService()
If ($StopStatus.ReturnValue -eq "0") {
Write-host "The service '$Service' Stopped successfully" -f Green
} Else {
Write-host "Failed to Stop the service '$Service'. Error code: $($StopStatus.ReturnValue)" -f Red
}
$ChangeStatus = $svc_Obj.change($null,$null,$null,$null,$null,
$null, $UserName,$null,$null,$null,$null)
If ($ChangeStatus.ReturnValue -eq "0") {
Write-host "Log on account updated sucessfully for the service '$Service'" -f Green
} Else {
Write-host "Failed to update Log on account in the service '$Service'. Error code: $($ChangeStatus.ReturnValue)" -f Red
}
$StartStatus = $svc_Obj.StartService()
Start-Sleep -Seconds 10
If ($StartStatus.ReturnValue -eq "0") {
Write-host "The service '$Service' Started successfully" -f Green
} Else {
Write-host "Failed to Start the service '$Service'. Error code: $($StartStatus.ReturnValue)" -f Red
}
13. Click Add Row > Function > Script Log > paste the following in the body:
--- Powershell Script Output Start ---
%output%
--- Powershell Script Output End ---
14. Click Add Row > Function > PowerShell Script > paste the following in the body:
# Define the service name
$serviceName = "QuickpassServerAgent"
# Check the service status
$serviceStatus = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
# Check if the service is running and assign "TRUE" or "FALSE" to $serviceRunning
if ($serviceStatus -and $serviceStatus.Status -eq "Running") {
$serviceRunning = "TRUE"
} else {
$serviceRunning = "FALSE"
}
# Output the value of $domaincontroller
Write-Host "Quickpass service running = $serviceRunning"
15. Click Add Logic > If/Then > set as shown:
- Output > Contains > FALSE
16. Click Add Row > Function > Script Exit > paste the following in the body:
%output%
ERROR | Failed to start Quickpass Server Agent service following an attempt to switch the service to run as a managed service account.
17. Outside of the If/Then, click Add Row > Function > Script Log > paste the following in the body:
%output%
SUCCESS | Quickpass Server Agent service is now running as a managed service account.
18. After completing all above steps, confirm the Script Editor window reflects as shown below:
19. After confirming, click Save
Deploy
1. Navigate to Endpoints > Devices > deploy the Task to the desired endpoints.
2. For reference, logs for a successful deploy will look as shown:
Additional Considerations
- If the Domain has a Policy that limits Domain Admin Membership ensure that you add the new Managed Service Account to that Policy to ensure the account remains a member of the Group
-
If the Domain has a Policy that limits which accounts are used to Log On as a Service, update that account list to include the new Managed Service Account.
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service.
Comments
0 comments
Article is closed for comments.