• State Suggested Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 3122 views
  • Users 0 members are here
Options
Related

In Active Roles track who views LAPS password

whitet10
over 3 years ago

In Active Roles is there a way to track who can view the LAPS password attribute? We were looking way to audit who views the attribute ms-Mcs-AdmPwd. 

  • 0 over 3 years ago

    Hello, whitet10.

    There is no "out-of-the-box" feature to track this yet, but it is certainly within the realm of accessible configuration. Attached is a video demonstrating one possible means by which to implement this kind of solution. Hope you find it helpful!

    Cheers,
    Shawn.

  • 0 over 3 years ago in reply to Shawn.Ferrier

    What "Command Type" is that? I am trying to recreate what you did.

  • 0 over 3 years ago in reply to whitet10

    Looks like editing object properties.  Basically, you need something to trigger a workflow / policy script to pull the LAPS password value as Shawn did.  Within that set of actions, you can also audit who made the request.

  • 0 over 3 years ago in reply to Shawn.Ferrier

    This is an interesting solution, but I see some drawbacks. The primary issue is that it is client-specific. This solution will only work in the Active Roles Web Interface.

    So, to break it down: currently. Active Roles does not log anything when an Initiator views any attribute. Active Roles only logs modifications. So, we should therefore turn a view into a modification, and then audit this abstraction.

    Create a unstored custom Virtual Attribute and a Change Workflow triggered by a view of the LAPS Password attribute. Add in a "Modify Requested Changes" activity and then write some value to the unstored custom Virtual Attribute. If you make the attribute a Directory String syntax, you could even write the samAccountName of the Initiator to that Virtual Attribute value. It doesn't matter that it's unstored: the value written will still be saved in the Active Roles Change History.

    This would be a client-agnostic solution, and wouldn't interfere with any existing Active Roles functionality.

  • 0 over 3 years ago in reply to Terrance.Crombie

    Strike this, a Change Workflow can only monitor changes. It would have to be done in a custom Policy Script.

    I'll see if I can work something out in my lab.

  • 0 over 3 years ago in reply to whitet10

    The "command" is a standard "show form" command to display a form of my own creation.

  • 0 over 3 years ago in reply to Terrance.Crombie

    The solution, as implemented, relies on a combination of both onGetEffectivePolicy to control the UI (which is, as you deduce, Web client-specific) and onPostGet (not Web-specific). The audit logging happens during onPostGet, so would be logged on any request to your edsvaYourLAPSVirtualAttributeName attribute via any client.