PSPasswd Plugin

Rotate remote admin passwords with PSPasswd

Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:

This plugin provides IT Admins with the ability to rotate the password of a remote system's administrative local password. The password is rotated using the widely used "pspasswd" utility and the change is synchronized to a specific Keeper record in your vault.

The way this plugin is implemented requires that Commander and pspasswd is installed on the Domain Controller.

The instructions in this README assume that you are executing Commander scripts from the Domain Controller.

Prerequisites

Enabled Remote Service Management on each target computer

Assuming all computers are domain-attached and reachable from the Domain Controller, ensure that "Remote Service Management" is allowed for inbound in Domain by enabling the relevant Firewall rule on all computers.

On each of the target computers, go to Windows Firewall rules -> Inbound Rules -> and enabled the "Remote Service Management" rule.

Install pspasswd

  • Download the PSTools Package from Microsoft

  • Extract the PSTools.zip folder to a location on your computer

  • Add this PSTools folder to your user or system environmental variable "PATH"

    (System Properties -> Advanced -> Environmental Variables)

    Select PATH and then "Edit"

    On some systems, you have to append the location where you installed PSTools, e.g.:

    ;C:\Users\craig\PSTools

    On newer systems, just click "New" then type in the full path to the install, e.g.: C:\Users\craig\PSTools

Prepare Record for Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

See the Troubleshooting section for more information on legacy vs typed records

Set the Login Name

Populate the 'Login' field of the Keeper record with the login to use with this rotation.

Set the Host and Port of the record

If using an untyped record, the host and port can be set to custom fields. See below.

Additional Rotation Settings

The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

LabelValueComment

cmdr:plugin

pspasswd

(Optional) Tells Commander to use PSPasswd rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

Hostname of Computer or Computers where the local account exists. This can be set here if not set in the record's host field

cmdr:rules

# uppercase, # lowercase, # numeric, # special

(e.g. 4,6,3,8)

(Optional) Password generation rules

Rotate

To rotate PSPasswd passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "My Azure Credentials" --plugin pspasswd

The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

Last updated