Password Reset is one of the important operations performed by the PMP. After resetting the password of resources/accounts in PMP, there might be requirements to carry out some follow-up action automatically. This could be done using the Password Reset Listeners.
For Example:
restarting the dependent services immediately after password reset
if there is a windows service that makes use of the account whose password is being changed in PMP. You can use the listener mechanism to change the 'stored credentials' (i.e the credentials specified in the 'Logon' property) of the windows service
if you have added the accounts of network devices as resources/accounts in PMP, you can first reset the passwords of such accounts locally and then invoke a custom script to connect to the device and carry out the change in the device too
reset the passwords of windows scheduled tasks and other associated processes
Whenever the password of an account is modified in the PMP repository, you can configure PMP to invoke a script or executable supplied by you. The script or the executable is called the Password Reset Listener. The listener will be invoked even for local password changes and for resources for which remote password reset is not supported. It can be configured for each resource type, including the user defined resource types. Thus, the password reset listener mechanism is very helpful for resource types for which PMP does not support remote password reset by default.
The password reset listener script will be invoked in a similar fashion as it will be from the command prompt of the operating system from which it is invoked
In case, the script needs another program to invoke it from the command prompt, it could be provided as the 'Pre-Command' for that script (for example 'cscript c:\scripts\changepassword.vbs old_password new_password)
PMP will pass these arguments, in this order, when the script is invoked: resource name, dns name, account name, old password, new password.
You can add additional arguments that will also be supplied at the time of invoking the script, in the order specified
The script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP. When an administrator adds a password reset listener, PMP does not invoke it unless it has been approved by another administrator. The same process if followed when the password reset listener details are edited by an administrator. These operations can be performed by any two administrators and are audited.
The password reset listener is invoked from a separate thread so that it does not impact the password reset process of PMP. The password reset listener script supplied will be stored in the same database as the other information, which provides security as well as backup, if it is configured for the PMP database.
|
Prerequisite
Before setting up the password, keep your custom script/executable ready. PMP has no control over the script other than invoking it and also does not process the result of the script. So, take care of all your requirements while creating the script. |
Go to "Admin" >> "Customize" >> and click "Password Reset Listener"
In the UI that opens, click the button "Add Listener"
As mentioned above, the password reset listener script will be invoked in a similar fashion as it will be from the command prompt of the operating system from which it is invoked. In case, the script needs another program to invoke it from the command prompt, it could be provided as the 'Pre-Command' for that script (for example 'cscript c:\scripts\changepassword.vbs old_password new_password)
Provide a name for the listener to be created. This would uniquely identify the listener
Browse and locate the listener script
By default, the parameters resource name, dns name, account name, old password, new password are passed as arguments to the script. In case, you require to pass additional arguments, specify them against the text field "Additional Parameters". The additional parameters supplied here will be passed to the script as they are
Specify the Resource
Types for which the changes are to be applied
As explained above, the listener script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP.
The listeners can be added only by PMP administrators. The listeners thus added have to be approved by some other administrator. So, the listener created will remain pending for approval. Select an administrator from the drop-down to send approval request. A mail will be sent to that administrator intimating the approval request.
If you are an administrator and requested by another admin to approve a listener, you need to navigate to "Admin" >> "Customize" >> and click "Password Reset Listener" and click the link present under "Approval Status". Once it is approved, the listener will take effect.
Click "Save". The required listener has been created
The listener creation and approval events are all audited in PMP.
© 2007, ZOHO Corp. All Rights Reserved.