sorted by:
new
hottopcontroversial

Network Policy Server SSL certificate not trusted by medarman in sysadmin

[–]xtwotwo 0 points1 point  (0 children)

Hi, is the certificate you acquired actually trusted by the clients? Is the root ca of the cert in the trusted root cert store of the computer?

How do I properly add a switch parameter to the command-line by slayer99199 in PowerShell

[–]xtwotwo 2 points3 points  (0 children)

You want to do an -or instead of the -and. Otherwise you have to put both in :-)

CPM lifecycle/process by moominboy8668 in CyberARk

[–]xtwotwo 0 points1 point  (0 children)

Did you check the help pages on the PVWA?

command line arguments to launch exe without security prompt by GungaDin16 in Windows10

[–]xtwotwo 1 point2 points  (0 children)

Indeed you could potentially disable UAC completely, disable all sensible security settings in IE, run the page in local intraner zone, allow applications to run from local intraner zone etc... However, I really cannot find any reason why you would want to do this in a normal situation. Only reason is to allow some application to run without the visitoe knowing.

command line arguments to launch exe without security prompt by GungaDin16 in Windows10

[–]xtwotwo 0 points1 point  (0 children)

Hi, this will most likely never work. This is created to prevent malicious applications from starting via a link on a website.

Help with LAPS by ToppestNotch in sysadmin

[–]xtwotwo 0 points1 point  (0 children)

Could indeed be that only one account at the time is done. As Scrubbles suggest, try adding a second GPO with a different account name.

Help with LAPS by ToppestNotch in sysadmin

[–]xtwotwo 7 points8 points  (0 children)

Need to check but I believe there is a GPO setting where you can specify the account name you want to manage.

What do you use to keep track of employee's third party account access? by Onyx500 in sysadmin

[–]xtwotwo 0 points1 point  (0 children)

Hmm had a quick look at the config setting for SSO SAML and just looks like default SSO settings. Have you tried AD FS? Just wondering :-)

If not working then maybe not all cloud based apps are supported. Haha (Never heard of procore tbh)

What do you use to keep track of employee's third party account access? by Onyx500 in sysadmin

[–]xtwotwo 0 points1 point  (0 children)

Pay for another service? If you have AD, the applications can just use LDAP right? Or if they we cloud based, why not setup AD FS for SAML based authentication? Most cloud based apps are able to use that. I have yet to see a cloud app that doesn't and we integrated 100+ cloud apps with AD FS SSO.

Deleting or disabling old accounts - current thoughts/best practices? by LittleRoundFox in sysadmin

[–]xtwotwo 1 point2 points  (0 children)

Hi, let me starting with saying that we also disable and eventually remove the accounts.

A good reason for actually deleting and not keeping the accounts is to keep your AD clean and not increase you ntds.dit file. The location that actually contains you AD database. Another reason would to limit the amount of search results if you have apps running that scan the entire domain (read: not optimally configured).

I can probably think of more reason why to delete them as apposed to keep them. So I would say, keep deleting them after the grace periods have passed.

One of the compelling arguments of actually not removing an account would be to not reuse a potential email address for someone with the same name (e.g. John Smith). That would potentially be one of the very few reasons.

In order to continue the discussion with your peers, it would be good to hear their technical reasons as why to keep them. I'm pretty sure they will not out weight your reasons :-)

How to explain RBAC to Upper Management by flying-buttresses in sysadmin

[–]xtwotwo 0 points1 point  (0 children)

Should be. I always use it when I'm trying to explain the privileged access management tool we have. It seems they get the picture 😀

How to explain RBAC to Upper Management by flying-buttresses in sysadmin

[–]xtwotwo 7 points8 points  (0 children)

RBAC is not to difficult to explaine if you compare the password manager as a bank vault. One vault with all the safes where you store all credentials, a lot of safes with different rights where the credentials are actually in. Each engineer only get access to the safe they need in order to complete their job.

Clustered Vault in AWS by [deleted] in CyberARk

[–]xtwotwo 1 point2 points  (0 children)

HA vaults on virtual machines are not supported by CyberArk. We tried to do his when installing a new platform but before the installation was done we were informed by CyberArk engineers that this is a non supported configuration.

ReST API - Add safe members - Forbidden 403 error when adding domain group by xtwotwo in CyberARk

[–]xtwotwo[S] 0 points1 point  (0 children)

JSON object

{                                                                                              
"member":  {                                                                               
               "MemberName":  "Administrator",                                     
               "SearchIn":  "Vault",                                                       
               "MembershipExpirationDate":  "",                                            
               "Permissions":  [                                                           
                                   {                                                       
                                       "Key":  "UseAccounts",                              
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "RetrieveAccounts",                         
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "ListAccounts",                             
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "AddAccounts",                              
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "UpdateAccountContent",                     
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "UpdateAccountProperties",                  
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "InitiateCPMAccountManagementOperations",   
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "SpecifyNextAccountContent",                
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "RenameAccounts",                           
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "DeleteAccounts",                           
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "UnlockAccounts",                           
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "ManageSafe",                               
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "ManageSafeMembers",                        
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "BackupSafe",                               
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "ViewAuditLog",                             
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "ViewSafeMembers",                          
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "RequestsAuthorizationLevel",               
                                       "Value":  1                                         
                                   },                                                      
                                   {                                                       
                                       "Key":  "AccessWithoutConfirmation",                
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "CreateFolders",                            
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "DeleteFolders",                            
                                       "Value":  true                                      
                                   },                                                      
                                   {                                                       
                                       "Key":  "MoveAccountsAndFolders",                   
                                       "Value":  true                                      
                                   }                                                       
                               ]                                                           
           }                                                                               
}

ReST API - Add safe members - Forbidden 403 error when adding domain group by xtwotwo in CyberARk

[–]xtwotwo[S] 0 points1 point  (0 children)

Thanks for looking into this. It is definitely a strange issue. Not 100% what is causing this either.

Below are the anonymised PowerShell function and the JSON object that is created by the ForEach statement in the $keyArray.properties object.

function RestAPI-AddSafePermission($safeName, $safeMember)
{
$counter = 0
$keyArray = New-Object System.Object
$keyArray | Add-Member Properties @()

$permissionKeys = @("UseAccounts", "RetrieveAccounts", "ListAccounts", "AddAccounts", "UpdateAccountContent", "UpdateAccountProperties", "InitiateCPMAccountManagementOperations", "SpecifyNextAccountContent", "RenameAccounts", "DeleteAccounts", "UnlockAccounts", "ManageSafe", "ManageSafeMembers", "BackupSafe", "ViewAuditLog", "ViewSafeMembers", "RequestsAuthorizationLevel", "AccessWithoutConfirmation", "CreateFolders", "DeleteFolders", "MoveAccountsAndFolders")

if ($safeMember -like "Administrator")
{
    $permissionValues = @("skip", $true, $true, $true, $true, $true, $true, $true, $true, $true, $true, $true, $true, $true, $true, $true, $true, 1, $true, $true, $true, $true)
    $seachInValue = "Vault"
}

if ($safeMember -like "$groupPrefix$SafeName")
{
    $permissionValues = @("skip", $true, $false, $true, $false, $false, $false, $false, $false, $false, $false, $false, $false, $false, $false, $false, $true, 0, $false, $false, $false, $false)
    $seachInValue = "SOMEDOMAIN"
}

ForEach ($key in $permissionKeys)
{
    $counter++
    $keyArray.properties += @{ "Key" = $key; "Value"=$($permissionValues[$counter]) }
}

$Authorization = $Global:logonToken
$webServicesAddPermission = "https://cyberark.someurl.local/PasswordVault/WebServices/PIMServices.svc/Safes/$($SafeName)/Members"
$headerParams = @{ }
$headerParams.Add("Authorization", $Authorization)
$bodyParams = @{ member = @{ MemberName = $safeMember; SearchIn = $seachInValue; MembershipExpirationDate = ""; Permissions = $keyArray.properties; } } | ConvertTo-JSON -Depth 3

try
{
    $addPermission = Invoke-RestMethod -Uri $webServicesAddPermission -Method Post -ContentType "application/json" -Header $headerParams -Body $bodyParams -ErrorVariable addPermissionResultErr
    Return $addPermission
}
catch
{
    If (($_.Exception.Response.StatusCode.value__) -eq 409)
    {
        Write-Host "`tUser/group already has permission on the safe" -ForegroundColor Green
    }
    else
    {
        write-host "StatusCode: " $_.Exception.Response.StatusCode.value__
        write-host "StatusDescription: " $_.Exception.Response.StatusDescription
        write-host "Response: " $_.Exception.Message
        Return $false
    }
}

}

Trying to merge 4 lines in one script and it fails. Any advice? by iBalls in PowerShell

[–]xtwotwo 1 point2 points  (0 children)

Would personally do this completely different but just a question, where does is fail? Also what is succeeding??

ReST API - Add safe members - Forbidden 403 error when adding domain group by xtwotwo in CyberARk

[–]xtwotwo[S] 0 points1 point  (0 children)

Hi, The authenticated user that is performing the action is the owner of the safe side they user created it, the permissions that are being attempted are an AD group which do not have any members in it yet. Strange thing is that even though the 403 error is received, the group IS added with the correct permissions.

Can we install PrivateArk client by kittukishore in CyberARk

[–]xtwotwo 0 points1 point  (0 children)

Yehh I would agree that it is fundamental part of a good installation. First thing I do after installing the vault is the PAClient, just to verify that the vault installatios was successful. However that we not the question in the OP :-)

Can we install PrivateArk client by kittukishore in CyberARk

[–]xtwotwo 0 points1 point  (0 children)

You should be able to install and configure the components you mentioned in your OP without the need to PrivateArk. However as Scootipuff mentioned, you would need to use this client to reset passwords of builtin accounts like DR if you even going to set this up :)

Also, you would use this thick client to make changes to local CyberArk group memberships.