Handling Local Account Password Changes Using a Domain Account with WinRM Password Changer

The following guide describes the basic configuration of Fudo Enterprise required to enable local account password changes on domain-joined workstations using a domain account.


To ensure proper operation of the password changer in Fudo Enterprise, the following configurations must be added:
  • Hostname and DNS server configuration.
  • KDC server configuration.
  • Configuration of the server where the local account is located.
  • Configuration of a privileged account used to perform the password change.
  • Configuration of the local or domain account for which the password will be changed.

Note

  • Fudo Enterprise must be configured with the same time zone as the domain.
  • A privileged domain account can be used to change passwords for both local and domain accounts. This should be considered when configuring privileged users responsible for password changes and those whose passwords will be changed.

Hostname and DNS Server Configuration

Set the hostname by following these steps:

  1. Go to Settings > Network Configuration.
  2. Navigate to the Name and DNS tab.

  1. In the Hostname field, enter the hostname along with the domain in the following format: hostname.yourdomain.local (e.g., winrm.ad.dwt).

  2. Configure the DNS server:

    • Click Add Server to define a new DNS server.
    • Enter the IP address of the DNS server (e.g., 10.0.180.101).
    • Click Save.
../../_images/winrm_dns.png

Adding a KDC Server

Add the KDC server configuration by following these steps:

  1. Select Settings > Authentication > Global tab.
  2. In the Kerberos section, ensure the Use Kerberos authentication option is enabled.
  3. Click Add Server.
../../_images/winrm_kdc.png
  1. In the Domain and Address fields, enter the domain and IP address of the server responsible for authentication and key distribution in the Kerberos protocol (e.g., AD.DWT and 10.0.130.100).

Server Configuration

Create a configuration for the server where the local account is located:

  1. Select Management > Servers from the left menu and click + Add Server
  1. Enter a unique name for the created object (e.g., RDP_Server).
  2. Navigate to the Settings section.
  3. In the Protocol field, select RDP.
  4. Define the destination server:
  • Select Host.
  • In the Address field, enter the hostname along with the domain (e.g., w11pc01.ad.dwt).
  • Enter the Port number.
  1. In the Server Verification section, select Server Certificate and click Download Certificate.
  1. Click Save and Exit.
../../_images/winrm_server.png

Note

In this scenario, the hostname along with the domain must be provided. This name will be used in the transport_host variable of the password changer. Defining the server by IPv4/IPv6 address is not supported.

Related Topics: