Jump to content
MrRat

MSP Accounts Plugin - Free

Recommended Posts

Plugin updated to 2.16.12.06

(requires restarting Database Agent after installing updated DLL)

 

Fixes

----

Changed the SQL query used to find PDC's to use v_detectedroles view. The old query had become unreliable.

Share this post


Link to post
Share on other sites
I get a notification that the GUID of the plug in does not match when updating. Is that expected?

 

 

yes. just ok that.

Share this post


Link to post
Share on other sites

MrRat -

 

Can we have the ability to adjust password complexity?

 

Also, will it pass credentials to screen connect so we can have techs who never actually know their password on a domain, creating an additional layer of security

 

How does it handle accounts that already exist? Will it assume control of them or just fail out?

 

I'm loving the plug concept

Share this post


Link to post
Share on other sites
Can we have the ability to adjust password complexity?

 

Good idea. I'll add it next time I am working on it.

 

 

Also, will it pass credentials to screen connect so we can have techs who never actually know their password on a domain, creating an additional layer of security

 

No. It doesn't talk to apps, only AD

 

 

How does it handle accounts that already exist? Will it assume control of them or just fail out?

 

If the account name and the OU are exactly the same I believe it would fail when it tried to create the account but would from then on manage the password properly. Just a guess, haven't tested.

Share this post


Link to post
Share on other sites
Thoughtcoder - it uses whatever you sign into Labtech as.

 

Unfortunately, that's an issue for us.

We use firstname.surname for both mail & AD (both internal and customer sites) - we're forced to use firstinitialSurname in Labtech & Connectwise due to the inability to include a period in a username - but we don't want to go down that path - for a large organisation it's a nightmare.

Share this post


Link to post
Share on other sites

I am having issues with the tool creating the accounts.

My environment

LabTech Version 11.0.342

MSP Accounts latest published

Here is what I did

Settings tab-

changed the MSP name to my "MSP name"

Changed the Min Password to 10

Service Account tab- Chose the correct service account and checked yes on create local service accounts

Manage Users tab- Setup the LT users I want to add to all domains and workstations the service account is in there as well (not sure if it should be)

Include Excluded locations is checked

Manage Locations- Excluded my location and then chose a client that has a DC and add all users

 

Came in this morning and the users were not created. Checked the passwords tab and it was not in there

 

This morning, I pushed it to a client with no DC and it created the password in the password tab and created the service account as well as the MSP_Admin account but not the other LT accounts setup. Attempted to push to a different client with a DC and it still is not working

 

What am I doing wrong please? I am super excited about this tool and would love to get it working in my environment!

 

Thank You

Share this post


Link to post
Share on other sites

changed the MSP name to my "MSP name"

Changed the Min Password to 10

 

yes

 

Service Account tab- Chose the correct service account and checked yes on create local service accounts

Manage Users tab- Setup the LT users I want to add to all domains and workstations the service account is in there as well (not sure if it should be)

 

Adding the service user to all domains comes before assigning it on the Service Account tab, but ok

 

 

Came in this morning and the users were not created. Checked the passwords tab and it was not in there

 

When you click Add User on the Manage Users tab it should start pushing that user to all domains and when done send you an email..

 

 

Attempted to push to a different client with a DC and it still is not working

What am I doing wrong please? I am super excited about this tool and would love to get it working in my environment!

 

it doesnt sound like you are doing anything wrong. i dont know why it is not working for you

 

Have you tried going to the Manage Locations tab, select a location, then select Add All Users, and press Execute.

Wait a half hour and then check the location to see if the users are created?

Share this post


Link to post
Share on other sites

Adding the service user to all domains comes before assigning it on the Service Account tab, but ok

[*]Yes I did add the service account to the client first.

 

When you click Add User on the Manage Users tab it should start pushing that user to all domains and when done send you an email..

[*]Is there a log file I can look at because it is not pushing to domain computers. It is creating ONE account on non-domain computers not all accounts. I did select add all users

 

 

it doesnt sound like you are doing anything wrong. i dont know why it is not working for you

 

Have you tried going to the Manage Locations tab, select a location, then select Add All Users, and press Execute.

Wait a half hour and then check the location to see if the users are created?

 

[*]Yes I have and nothing is appearing. Not sure at this point unless there is a log file I can look at to ensure the commands are going through...I can create new users through LT manually.

Share this post


Link to post
Share on other sites

Thank you for this plugin! Adding the local admins for non-domain users is great, but the accounts are visible on the login screens.

 

Can you set the registry key to hide the service accounts?

 

When you create the account, add a new key under

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\

Key name = the service account name ("msp-fname")

value = 0 (to hide, 1 to show)

 

more info: https://social.technet.microsoft.com/Forums/windows/en-US/16378967-8a39-4aef-85e4-d859a71648d3/hide-user-accounts-on-windows-7-logon?forum=w7itproui

 

Thanks!

Share this post


Link to post
Share on other sites

Can you set the registry key to hide the service accounts?

When you create the account, add a new key under

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\

Key name = the service account name ("msp-fname")

value = 0 (to hide, 1 to show)

Thanks!

 

 

Great idea. Thank you.

Share this post


Link to post
Share on other sites

I tried it out last night and it works instantly. I pressed Win+L and the service acct was on the login screen, i went back in to my account and set that key, then pressed Win+L again and the service account was gone. It would be so great to have this happen automatically.

 

Thanks again for a great plugin!

Share this post


Link to post
Share on other sites

Could you check the exclusion logic? My LabTech computers are a mix of managed and unmanaged PCs, so not everyone will be getting these accounts. I wanted to test this on one location, but I just got an email from an unmanaged client about this new msp service account showing up on their PC. Does the "Create Local Service Account" feature respect the exclusion list?

Share this post


Link to post
Share on other sites
Could you check the exclusion logic? Does the "Create Local Service Account" feature respect the exclusion list?

 

You're right I need to check that. It was a late addition and it may not be following the rules. I'll check.

Share this post


Link to post
Share on other sites

This looks like an awesome plugin but we ran into a snag with the passwords being char limited to exclude ampersand, pipes, and percent (~,|,%) Is it just because those are a pain to escape when running the insert statement? couldn't a nested series of replaces swap out '~' for '\~'?

 

We use strong password generator(https://strongpasswordgenerator.com/) a lot and the defaults often times use % or | ex: .2-W;yW8=A|%|2w

 

Thanks for all the work you are doing MrRat!

 

Edit: Does 'Exclude Locations' work? I wanted to exclude all but 1 location for testing by checking exclude next to all but 1 client location. I ended up seeing commands issued to every DC we have in LT. (OOPS!)

Edit Edit: On further review it looks like the issue is when I save the exclusions its refusing to save any past about 1/2 down the list.

 

 

I tracked the issue back down to the table with the exclusions. You are using Vchar(500)

 

This limits it very fast with a coma sep list with LocationIDs taking up 3 digits each. I bumped this up to 2000 and looks like I can save the rest of our locations in there :)

59ec94427c16c_IssueExcludingxloctaions.png.f81241795097a53a2e36024f01d996c2.png

59ec94427e6a1_IssueSaving.png.00dd887c552bc6d84c49025a5794489d.png

Share this post


Link to post
Share on other sites
We use strong password generator(https://strongpasswordgenerator.com/) a lot and the defaults often times use % or | ex: .2-W;yW8=A|%|2w

Why don't you use the built in password generator?

 

 

I tracked the issue back down to the table with the exclusions. You are using Vchar(500)

Raised it to 2000. Thanks

Share this post


Link to post
Share on other sites

Why don't you use the built in password generator?

 

Strong password was standard when I moved to this company 3 years ago and the engineers use it like its going out of style. Some day I'll break them of it.

 

Thanks for updating the field :)

Share this post


Link to post
Share on other sites

Plugin updated to 2.17.02.27

(requires restarting Database Agent after installing updated DLL)

 

Updates

----

Added registry entry to hide local service account when created.

Added "Include Excluded Locations" option to local service account.

Increased Excluded Locations record to 2000 chars.

Share this post


Link to post
Share on other sites

I just had to remove the service account from 50+ PCs and I still have a dozen that haven't been turned on yet that I need to watch out for. After receiving many tickets about "what is this weird account on my PC" I'm a little gun shy about turning this back on.

 

Do all facets of this plugin respect the exclusion list? If I check all locations for exclusion, will the plugin create anything anywhere?

Share this post


Link to post
Share on other sites
Is it just because those are a pain to escape when running the insert statement?

yes. much safer/simpler to just refuse to take something that might be used for a SQL injection attack

Share this post


Link to post
Share on other sites
Do all facets of this plugin respect the exclusion list? If I check all locations for exclusion, will the plugin create anything anywhere?

 

that's the theory, but truthfully i haven't tested that. i've tested code fragments and SQL statements but haven't tried the new exclusion in the real world.

Share this post


Link to post
Share on other sites

MrRat, thank you so much for the great plugin.

 

I have a couple of feature requests. Let me know what you think of any of these features. They may already be discussed, but I just wanted to throw my hat in there for a few times.

 

1. Check all locations under exclude locations (my hands are tired)

2. The ability to exclude specific employees from a specific client

3. The ability to fully name the OU

- I just deployed and have a bunch of OUs in not such a pretty format. I'd like to be able to edit that entire OU name.

4. The ability to rename te OU from

- This way if someone doesn't like how the OU looks they can go in a and rename it.

5. Additional security groups would be nice.

6. The ability to enable/disable if they are a domain admin.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...