TPAM Deployment on Windows Workstations

Hello,

 

I am looking to use TPAM to manage the local administrator account on all of my company's domain joined workstations. Discovering the workstations is relatively easy using the LDAP Auto-Discovery and System template.

 

However, we have hit some road blocks. Many times, workstations are taken off of the domain or are turned off. TPAM is then unable to reset the password... If the workstation is unreachable when it is trying to do a reset, the next time a user tries to check out the account, they will be presented with an error message. I know there is an option to place a certificate on each machine to make a SOAP call when it is ready to be reset, but have deemed that as not a viable option. We could also give users PPM ISA to get old passwords, but this is not a user=friendly workflow, and gives end users elevated privileges.

 

If anyone has deployed TPAM to manage workstations adminstrator IDs, could you please share your deployment strategy?

 

Much appreciated,

JJL

  • Hello,

    As you mentioned, there are several different solutions available for this and which option you choose, depends on which best suits your particular environment. There are a few different settings in the Change and Check Profiles (introduced in version 2.5.915), which can be used to cut down on the number of failures that occur. These mostly focus on preventing the change or check from occurring, or sending a notification when a failure occurs.

    The Change and Check profiles include such options as:

    - Checks / Changes will be scheduled during the following window(s)
    - Allow system to notify TPAM it is available for check / change
    - After n consecutive failures to check do ...
    - Also notify account owner of check / change failure

    There can be many reasons for why TPAM is unable to manage a particular account or contact a particular situation (network communication, invalid credentials, insufficient permission etc.). There are potentially other solutions based on combinations of settings that can be used, depending on what best suits your needs.

    Typically, TPAM does not take drastic actions such as deleting the account or system automatically, because it has no way of knowing if this resource is temporarily unavailable or has been decommissioned completely. This is why most of the solutions revolve around scheduling, retries or notifications.