Previous Topic: Create a Password ConsumerNext Topic: Password Consumer Example: Windows Scheduled Task


Password Consumer Example: Windows Run As

The Windows RunAs application lets a user borrow permissions from a privileged account to perform a specific task. You can create a Windows Run As password consumer so that when a user executes RunAs, the SAM Agent provides the privileged account password directly to the RunAs application. The Windows Run As password consumer removes the need for users to know privileged account passwords to perform administrative tasks.

You can create Windows Run As password consumers only on Windows Agentless endpoints.

In the following example, a backup task is scheduled to run weekly. The task is located at C:\backup\backup.exe and is run by Administrator. If the scheduled backup fails, the system administrator Steve wants to let user John manually start the backup. Steve can use a Windows Run As password consumer to let John start the backup task without the Administrator password.

The following process describes the steps that Steve and John perform to create and use a Windows Run As password consumer on an endpoint named win123_PUPM:

  1. Steve installs CA ControlMinder on win123_PUPM with the SAM Integration feature enabled.
  2. Steve does the following in CA ControlMinder Enterprise Management:
    1. Creates a Windows Agentless endpoint named win123_PUPM.
    2. Discovers the Administrator privileged account on the win123_PUPM endpoint.
    3. Creates a Windows Run As password consumer using the following parameters:
      • Name—win123_PUPM Backup RunAs
      • Consumer Type—Windows Run As
      • Application Path—C:\backup\backup.exe
      • Account—Administrator
      • Host—win123_PUPM
      • User—Domain1\John

        Note: Steve enters John's user name as it appears on the endpoint.

    The Windows Run As password consumer is created.

  3. The scheduled backup task fails and John logs on to win123_PUPM to manually start the backup. He executes the RunAs command to start the backup task, using the following parameters:

    The SAM Agent checks the cache for previous requests by John to start the backup task. Because John has made this request for the first time, the request is not cached. The SAM Agent retrieves the privileged account password from CA ControlMinder Enterprise Management and provides it to the RunAs application. The backup task starts.