User Management

The Users page listed under your Computer Group shows a list of local users that exist within this Computer Group.

The User Management and Group Management pages have been configured to load faster by showing the list of managed and built-in users and groups only. Inventoried users and groups will no longer appear by default unless there are less than 200 workstations in that computer group. You can still manage any group or user on those workstations by clicking Create User or Create Group available in the top right of their respective tables.

If you need to modify any items within Privilege Manager, duplicate the item and modify the duplicate instead of the built-in item so that an upgrade does not overwrite it.

The information highlighted by the User Management table includes:

  • how many groups each user account is a member of,
  • whether the user account was built-in or user-defined, and
  • whether or not the account itself is managed.

Local Security allows administrators to manage users and also to manage passwords and password rotation. Managing local users in Local Security means that you are setting a password for the account and can rotate the password as desired.

alt

Creating New Local User Account

To create a new local user,

  1. Navigate to your Computer Group for this new user and select User Management.

  2. On the User Management page, click Create User.

  3. Enter the new User Name.

  4. Click Create.

  5. This takes you to the Account Details tab of your new user's account. To create a user through Local Security, it must be a managed user.

    alt

  6. Set the User Managed switch to Yes.

    In Local Security, the most important thing to know about your user accounts is whether or not each is being managed. Managing a local user account means that you are able to rotate the account's password from Local Security's console in Privilege Manager.

    If the password is being rotated, the update schedule determines when the new password is applied.

    The user does not need to be managed in order to rotate the password on a local account.

    alt

    The following settings are all specific to Windows endpoints and will not be displayed for macOS based Computer Groups:

    • Account is Disabled
    • User Must Change Password At Next Logon
    • User Cannot Change Password
    • Password Never Expires
  7. Managed user accounts require an initial password when created.

    When the agent first receives the instructions for this account, it will create the account if necessary. Next, the agent sets the password to either the fixed password or random password, depending on which option is selected. This occurs regardless of whether the user existed or not. This overwrites any existing password.

    If the user account is enabled, disabled, or deleted, it will repeat this initial deployment process.

    In an addition to creating a static initial password, an additional option to create a randomized initial password is available.

    If Use Static Password is selected, click the Edit link and specify a password, according to the password criteria set. The user will be able to login to any computer defined for the user account using this password. The password becomes effective at the point that the User Management task is updated on the agent endpoint (a message will be returned to the server).

    If Use Random Password is selected, a different randomized password will be produced for every agent endpoint workstation that the user is managed on. Random passwords are also based on the password criteria set. The password(s) generated will display when the View Password button is selected, but only after the User Management task is updated on the agent endpoint (a message will be returned to the server).

    For example:

    alt

    Select the method for password creation (Static or Random), then edit Characters and Password Length settings pertaining to the user's password.

  8. Managing users, passwords, and rotation schedules often go hand-in-hand, but not every managed user account also requires password rotation. For example, service accounts are managed, but usually do not have password rotation setup. Password rotation can also be setup for existing users without having to provision user accounts.

    Password rotation is an option that is not required for all accounts, especially not for service accounts.

    If password rotation is desired, enable Rotate Password. When prompted, click Confirm Manage Password. Click the link provided in the Schedule field and supply values in the Update Schedule dialog box and click Save. The password on this account will be rotated based on the Update Schedule details.

    alt

  9. When all account settings are satisfactory, click Save Changes.

Editing a Local User Account

While editing a user, you can change the account User Name, add details like the full name of the user, disable the account, or update the schedule that pushes out modifications to endpoints.

The Groups tab for a Local Account tells you how many groups and computers the account is on. Clicking on a Group Name from this page directs you back to the details of that local group.

The Statistics tab for a local user account highlights some quick visual statistics and links to relevant reports based on key factors, like how many computers from your network have this user account and whether there have been changes made to the user's membership within the specified period. Click on the graphs to drill down into more details.

Reports Relating to Managed Accounts

  • All Computers with Managed Passwords: Lists all computers that have at least one local user with a managed password.
  • Password Disclosure History: Lists all local and provisioned user's passwords that have been disclosed in a given time frame.
  • Disclosure Summary (Local User): Lists all local users whose managed password has been disclosed in the given time frame.