Hello Fellow LabTechers!
Most of you know me from the IRC Channel. I'm the chatty one it seems. I've been working on this little tidbit for the last few days and there was enough people who were interested in it that I thought I'd share it with you all here.
Background - I work for a Managed Services Provider. Our process for accessing Client Machines is that we will use the same username/password for our administrator account and the only thing that changes is the domain. Previously, we've used a Services account for LabTech credentials but with the new features in Ignite that I migrated us over too ... this is now causing problems because that account is locked down and alot of the VBS scripts that Ignite wants to use can't run with it.
We also have a process that I manage, that since we use one account for most things ... whenever a technician leaves our employment -- I change the password.
This would be a problem for me to change the location password for all these locations.
So, here's the method to my madness and how I intend on making it work.
Our location passwords have wildly different names. I've been given the power of the Banhammer to standardize things.
Step 1 - Standardized Administrator Name
This was relatively easy, just need to go through every location in LabTech and add a new Password Entry. I was able to accomplish this with the 'One-Time Location Password Insert.xml' script.
It'll grab a list of all location & client IDs and run a loop with a SQL Insert Statement.
Something that I noticed while watching SQLSpy and opening/closing the Location Password screen repeatedly was the pattern it uses for AES Encryption. You'll notice that the password field in the table is encrypted. The actual AES_Encrypt('Password',SHA'(' @AESValue@') ... There is a white space inbetween the astrophe and @AESValue@. The AESValue that gets used in that sequence is the CLIENTID + 1. Use the wrong value and the password will not show up when you view the list in LabTech.
Step 2 - Adjust the Standardized Administrator Name
Now, you'll notice in the first script that I use just plain ol' f12admin for the username. I tried using %domain%\f12admin but LT was evaluating the domain to my local one. No big deal, I just ran the following statement against the mysql database.
SET UserName = '%domain%\\f12admin'
WHERE Title = 'F12 Administrator';
All updated and nice.
Step 2.5 - Removing silly %domain% from all usernames
So, something new that I discovered. We can no longer use %domain%\<username> in the location password field with the new changes to LabTech. I had Support confirm it that the whoami's fail when it attempts to run PowerShell or anything of that sort with the new Exchange Monitors.
So, what to do when the old LT Admin had everyone fill in %domain% for every password? Well, you script it, ofcourse!!
I've updated the LTPWMGMT.zip file to include my newest script for updating all this. I'll also throw down the steps the script does.
1. SQL Query to grab all passwordIDs that contain %domain% in the username field.
2. Lots of LOG: entries you can use to for testing to ensure it's grabbing the right information before committing changes to the password database
3. Drop the %domain% from the username
4. Use the ClientID to grab the actual domain ... but not from a Domain Controller that adds in the stupid DC: ... and ignores anything with WORKGROUP listed as the domain -- Things break here if it can't find anything.
5. It will also create a log file in the C:\F12\ folder of the LabTech Server with the outputs. So you can see the ClientID and PasswordID along with what was inserted into the DB for review if something looks funny.
The script is called - ONE TIME - LT Passwords Domain Change.xml
Step 3 - Assigning Password to LabTech Locations
This is my project for tomorrow ...
Step 4 - Managing F12 Administrator Password
This was also very easy. I used the LT Database Password Update.xml script for this. It'll have a global value of @F12AdminPW@ defined in there. I just run this against the LabTech Server and it updated things nicely. Had to do a password change today and used it as my testing case.
I'll probably optimize it ... or nest it at some other point. But for now, this is where I am at.
Does it work? I have no clue yet for the actual agent. I'll test that once I get back to assigning the Credentails to the LabTech Locations.
I attached my two scripts in the ZIP folder. If you'll find this useful.
Let's see how this does for my first LTG post.
EDIT: Added Step 2.5