Handling Local Account Password Changes Using a Domain Account with WinRM Password Changer

The following guide describes the basic configuration of Fudo Enterprise required to enable local account password changes on domain-joined workstations using a domain account.

To ensure proper operation of the password changer in Fudo Enterprise, the following configurations must be added:

• Hostname and DNS server configuration.

• KDC server configuration.

• Configuration of the server where the local account is located.

• Configuration of a privileged account used to perform the password change.

• Configuration of the local or domain account for which the password will be changed.

Note

• Fudo Enterprise must be configured with the same time zone as the domain.

• A privileged domain account can be used to change passwords for both local and domain accounts. This should be considered when configuring privileged users responsible for password changes and those whose passwords will be changed.

Hostname and DNS Server Configuration

Set the hostname by following these steps:

3. Go to Settings > Network Configuration.

4. Navigate to the Name and DNS tab.

1. In the Hostname field, enter the hostname along with the domain in the following format: hostname.yourdomain.local (e.g., winrm.ad.dwt).

2. Configure the DNS server:

   • Click Add Server to define a new DNS server.

   • Enter the IP address of the DNS server (e.g., 10.0.180.101).

   • Click Save.

Adding a KDC Server

Add the KDC server configuration by following these steps:

1. Select Settings > Authentication > Global tab.

2. In the Kerberos section, ensure the Use Kerberos authentication option is enabled.

3. Click Add Server.

4. In the Domain and Address fields, enter the domain and IP address of the server responsible for authentication and key distribution in the Kerberos protocol (e.g., AD.DWT and 10.0.130.100).

Server Configuration

Create a configuration for the server where the local account is located:

1. Select Session Management > Servers from the left menu and click + Add Server

2. Enter a unique name for the created object (e.g., RDP_Server).

3. Navigate to the Settings section.

4. In the Protocol field, select RDP.

5. Define the destination server:

• Select Host.

• In the Address field, enter the hostname along with the domain (e.g., w11pc01.ad.dwt).

• Enter the Port number.

6. In the Server Verification section, select Server Certificate and click Download Certificate.

1. Click Save and Exit.

Note

In this scenario, the hostname along with the domain must be provided. This name will be used in the transport_host variable of the password changer. Defining the server by IPv4/IPv6 address is not supported.

Adding a Password Change Policy

Create a password policy:

1. Select Management > Password changers.

2. Go to the Password Policies tab and click Add password policy.

3. Enter a unique name for the policy being created (e.g., winrm).

4. Select the Password change enabled option and define the interval between each password change.

5. Define password complexity.

Note

• Password verification in the scenario of changing a domain account password using another domain account is not supported in the current version of Fudo Enterprise.

• Password verification works in the scenario of changing a password for an account outside the domain.

Administrator Account

Add an account that will be used when changing passwords for local accounts. The following example is based on a regular domain account with privileges to change passwords.

1. Select Management > Accounts, then click Add account.

2. Enter a unique name for the object being created (e.g., WINRM_Admin).

3. In the Settings tab, in the Type field, click the REGULAR button.

4. In the Target section, select the Server button, then from the list choose the previously created RDP server where the local account is located (RDP_Server).

5. In the Credentials section:

   • Enter the domain name (e.g., AD.DWT).

   • Enter the Login of the account that will be used to change local account passwords (e.g., Admin).

   • In the Override secret section, click the button corresponding to one of the desired authentication options (e.g., Password) and in the Secret field enter the password for the mentioned account.

   • Click Save to close the dialog.

6. Click Save and exit.

Account for Which the Password Will Be Changed

Add a local user account for which the password will be changed. The following example is based on a regular local user account.

1. Select Management > Accounts, then click Add account.

2. Enter a unique name for the object being created (e.g., WINRM_User1).

3. In the Settings tab, in the Type field, click the REGULAR button.

4. In the Target section, select the Server button, then from the list choose the previously created RDP server where the local account is located (RDP_Server).

5. In the Credentials section:

   • Enter the domain name (e.g., AD.DWT) – if this is a domain account.

   • Enter the Login of the local account (e.g., User1).

   • In the Override secret section, click the button corresponding to one of the desired authentication options (e.g., Password) and in the Secret field enter the password for the local account.

   • Click Save to close the dialog.

Note

Providing the domain in this case is optional and depends on whether the account is in the domain or outside of it.

6. Go to the PASSWORD CHANGERS tab.

7. In the General section, in the Password changer policy field, select the previously created policy (winrm).

8. In the Password changer section, from the Add changer drop-down list, select WinRM changer.

9. For the changer to work correctly, the following fields must be configured:

   • transport_domain – used when authenticating with the account used to change local or domain account passwords. By default, it is set to predefined, which means the domain name entered for the currently configured account is used. Other available options are:

     • constant – allows entering a fixed value for the domain name.

     • account – allows selecting an account from which the domain name value will be taken.

   • transport_login – field specifying the login of the privileged account that will be used to change the password. In the Type column select account, then in the Value column select the account that will be used when changing passwords for local accounts. In this scenario, this will be the WINRM_Admin account.

   • transport_port – port 5986 used to log in to the server where the password will be changed (required port: 5986).

   • transport_secret – field specifying the secret of the privileged account that will be used to change the password. In the Type column select account, then in the Value column select the account that will be used when changing passwords for local accounts. In this scenario, this will be the WINRM_Admin account.

   • account_domain – this field must be filled in if you want to configure a password changer for a domain account. If the account for which you want to change the password is a local account, this field can be left empty. By default, this field is set to predefined, which means the domain name entered for the currently configured account is used.

10. Click Save to close the dialog.

11. Click Save and exit.

Related Topics:

• Creating a Regular Account

• Authentication