This task will:
- Audit services from Windows servers found in Active Directory
- Find which services use a domain account
- Audit each domain service account from Active Directory
- Report on passwords that are old, expired, or approaching expiry
Running this Playbook
- Click download playbook
- Import the downloaded file via the Playbooks page on PPA
- Build the playbook from the Edit & Build tab
- Run the playbook from the Preview & Deploy tab
- PPA User Interface
- Hashicorp Vault Key-Value engine
- Windows Server Domain & Services
- Active Directory Domain, Computers & Users
Domain Maximum Password Age
This task uses the maximum password age configured in Active Directory to calculate password expiries.
If there is no maximum password age configured, a minimal report will be generated instead.
Required Vault Details
- IP/DNS address of a Domain Controller
- Domain FQDN
The Active Directory credentials require the permission to audit services on domain servers, & users in Active Directory.
Vault Configuration Wizard
The first time you run a task built from this playbook, PPA will check the required Vault details exist.
If they don't exist, PPA will ask you to supply the details at the start of the task.
Below you can see a user providing details the first time they run an Active Directory task.
Once the details are added to Vault, the task won't ask for them again.
If you don't know the required details, ask an administrator to run the task or configure Vault manually.
What the Task Does
Once started, this task will:
- Find all servers in Active Directory
- Allow the Task Operator to select one or more servers
- Audit services that use a domain account from each server
- Check the password health of each service account in Active Directory
- Present a summary of password health & ask the task operator which accounts to display
Powershell Remoting (WinRM)
This task uses Powershell Remoting over WinRM to connect to Windows Servers & audit services.
See this Microsoft article for more information on how to securely enable WinRM.
By default this playbook will:
- Use SSL when connecting to the Windows server
- Validate the Windows server certificate
You can change these settings on lines 10 & 11 of the playbook:
use_ssl: true validate_cert: true
Get PPA for free!
Start automating your estate with a free 30 day trial today. No signup required!Get PPA Express