NetWrix Account Lockout Examiner Version 4.0 Administrator Guide
Table of Contents Concepts... 1 Product Architecture... 1 Product Settings... 2 List of Managed Domains and Domain Controllers... 2 Email Notifications... 2 Remote Control... 3 Security Roles... 3 How It Works... 4 Deploying Product... 5 System Requirements... 5 Management Server... 5 Help Desk Portal... 5 Client Computers... 7 Planning... 7 Installing Product... 8 Installing Service... 8 Installing Help Desk Portal... 8 Default Installation Folders, Virtual Directory, and Startup Shortcuts... 9 Configuring Product... 10 Configuring List of Managed Domains and Domain Controllers... 11 Configuring Email Notification... 12 Configuring Remote Control Settings... 13 Assigning Security Roles... 14 Page ii
Using Product... 15 Using Admin Console... 15 Overview... 15 Examining Account Lockout Reasons... 16 Unlocking Accounts and Resetting Passwords... 17 Using Help Desk Portal... 17 Accessing Help Desk Portal... 17 Overview... 18 Examining Account Lockout Reasons... 18 Unlocking Accounts and Resetting Passwords... 18 Contacting NetWrix Support If you have any questions please feel free to contact the NetWrix support team. NetWrix provides unlimited phone and email support for customers who purchase the commercial version (including evaluation). In addition, on the NetWrix Support Forum, a limited support is provided for customers who use the freeware version. Disclaimer The information in this publication is furnished for information use only, does not constitute a commitment from NetWrix Corporation of any features or functions discussed and is subject to change without notice. NetWrix Corporation assumes no responsibility or liability for any errors or inaccuracies that may appear in this publication. NetWrix is a registered trademark of NetWrix Corporation. The NetWrix logo and all other NetWrix product or service names and slogans are registered trademarks or trademarks of NetWrix Corporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks and registered trademarks are property of their respective owners. 2011 NetWrix Corporation. All rights reserved. www.netwrix.com Page iii
Concepts (also known as Account Lockout Examiner or ALE) is a clientserver application that allows you to efficiently handle account lockout issues and automate all related routine operations. Account Lockout Examiner can do the following: Monitor Security Event Logs on specific domain controllers in your network, and basing on this information, detect account lockouts in real-time. Automatically notify you about account lockouts before business critical services go down. Automatically scan system services, scheduled tasks, mapped network drives, and other places where user accounts can be used. Unlock account on domain controller where it was locked as soon as you fixed the lockout reason (e.g. if you have updated service account or remapped network drive), and let Active Directory replicate this change to other domain controllers. This document is intended to assist you to deploy and use the product. This guide applies to Enterprise Edition of ALE. Some features may not be available in Standard Edition. For details, visit Account Lockout Examiner page. Product Architecture Account Lockout Examiner is made up of one server component (NetWrix Framework Service) and two client components (Lockout Examiner Console and Help Desk Portal): 1. Lockout Examiner Console (hereafter Admin Console) A snap-in that allows you to configure the product and perform operations on accounts. 2. Help Desk Portal A Web service that allows the help desk representatives to remotely perform operations on accounts. 3. Service (hereafter ALE Service) A service that processes requests sent by Help Desk Portal or Admin Console. In this guide, the computer where you install Service is referred to as management server. Page 1
Product Settings The product settings allow you to flexibly control the account unlocking workflow in your organization. Once you have installed Account Lockout Examiner, you may either leave its default settings or change settings that do not comply with your requirements (for more information, see Configuring Product later in this paper). This section provides detailed information on the product settings and explains how to effectively use them. List of Managed Domains and Domain Controllers To detect the account lockouts, the product accesses Security Event logs on domain controllers (DC) from this list. By default, it includes only PDC emulator in the domain where you have installed ALE, but you can add other domains or DCs to this list. Before creating the list, consider the following important things: Managed domains or domain controllers must belong to the same site. If you have slow network connection to remote domain controllers, it is not recommended to add all DCs from managed domains to this list, because it will result in poor performance. For details on how to modify this list, see Configuring List of Managed Domains and Domain Controllers. Email Notifications This option allows the product to automatically inform IT administrators and Help Desk operators about account lockouts in managed domains. By default, this option is disabled and notification list contains no email addresses. When planning to use Email Notifications, consider the following information: When configuring this option, you must enter the information required to connect to SMTP server in your network. If you have no this information, contact your IT administrator. The product sends one email notification message per each detected account lockout in managed domains. For details on how to enable and configure this feature, see Configuring Email Notification later in this paper. Page 2
Remote Control This option allows Help Desk operators to unlock accounts by sending an email message containing a passcode obtained from IT administrator to specific address. In typical scenario, an operator can simply reply to email notification message about account lockout (see Email Notifications earlier in this paper). The product monitors the specific mailbox on your Mail server, and when the operator s email arrives, it verifies the passcode and unlocks account. By default, this option is disabled. Before configuring the Remote Control option, consider the following things: Ensure that you have enabled and properly configured the Email Notifications feature: otherwise, Help Desk operators cannot receive notification messages to reply. When configuring this option, you must enter the information required to connect to Mail server in your network. If you have no this information, contact your IT administrator. For details on how to enable and configure this feature, see Configuring Remote Control Settings. Security Roles The product uses the role-based security model that allows you to assign access permissions to users based on their roles rather than on their individual identities. A role is a category of users who share the same security privileges. There are two security roles in ALE: Security Role Description Predefined Members Administrator Help Desk Operator Provides complete and unrestricted access to all features and permission to configure the product settings. Allows the role members to unlock accounts and reset passwords using Admin Console or Help Desk Portal. Local Administrators on the computer where ALE is installed. The NetWrix Account Help Desk group in the domain where ALE is installed. For efficient use of the role-based model, consider the following: By default the NetWrix Account Help Desk group includes Local Administrators on the computer where ALE is installed and the Domain Admins group. Members of the Help Desk Operator role can unlock accounts and reset passwords using Admin Console or Help Desk Portal, but they cannot modify the ALE settings. For details on how to modify the list of roles members, see Assigning Security Roles. Page 3
How It Works The following flow diagram illustrates the product workflow. Administrator installs the ALE components (ALE Service, Admin Console, and Help Desk Portal) and then configures the product using Admin Console (1, 2). The product can monitor domain controllers only from a specific site. If you have multiple sites, install and configure separate instance of ALE for each site. Upon user request (3), a Help desk representative or administrator sends a request to unlock account to ALE Service using Help Desk Portal (5), or Admin Console (2), respectively. ALE Service (2, 5) performs requested operations on the managed domain (6). Help Desk Portal and Steps 2, 4, and 5 are available only in ALE Enterprise Edition. Page 4
Deploying Product The process of deploying the product includes the following steps: Considering system requirements Planning Installing Configuring System Requirements This section summarizes system requirements that your environment must meet to install and properly configure Account Lockout Examiner. Management Server You can install ALE Service and Admin Console on any network computer (referred to as management server) that meets the following minimum requirements: Windows 2000 or later (Windows 2003 SP2 is recommended) 256 M RAM 30 M of free disk space It is not recommended to install ALE Service on standalone computers. When possible, install it on domain computers instead. Help Desk Portal You can install Help Desk Portal on any network computer that meets the following minimum requirements: Windows XP or later Internet Information Services 5.0 or later At least one active IIS website must run. By default, the IIS configuration includes Default Web Site. If you have deleted or disabled the IIS websites, it is necessary to get at least one of them up and running. Page 5
For the product to work properly, you must configure IIS using the following procedures that depend on actual Windows version your computer runs. You must be logged on as an administrator, be a member of the Administrators group or have a local administrator role in order to complete the following procedures. On Windows XP: 1. Open Add or Remove Programs in Control Panel. 2. Click Add/Remove Windows Components. 3. Select Internet Informational Services (IIS) and click Details. 4. Ensure that the Common Files and Internet Information Services Snap-In check boxes are selected, and then click OK to let Windows install the required components. On Windows 2003 Server: 1. Open Add or Remove Programs in Control Panel. 2. Click Add/Remove Windows Components. 3. Select Application Server and click Details. 4. If you use 32-bit edition of Windows, ensure that the ASP.NET and ASP check boxes are selected. 5. Ensure that the Common Files and Internet Information Services Snap-In check boxes are selected, and then click OK to let Windows install the required components. On Windows Vista / Windows 7: 1. Open Turn Windows Features on or off in Control Panel. 2. Select the Internet Information Services check box, and then expand the Internet Information Services node. 3. Expand the Web Management Tools node, and ensure that the following check boxes are selected: IIS6 Management Compatibility and all its child boxes; IIS Management Console; IIS Management Service. 4. Under Internet Information Services, expand the World Wide Web Services node, expand the Application Development Feature node, and then select the ASP check box. 5. Expand the Security node, and select the Windows authentication check box. 6. Click OK to let Windows install the required components. Page 6
On Windows 2008 Server /2008 Server R2: 1. Start Server Manager. 2. In the console tree, select Roles, and then in the details pane, click Add Roles. 3. On the Select Server Roles page of the Add Roles wizard that starts, select the Web Server (IIS) check box and click Next. 4. Ensure, that the ASP.NET, ASP, Windows Authentication, IIS6 Management Compatibility and all its child check boxes are selected. 5. Click Next, and then click Install. Client Computers You can access Help Desk Portal from any network computer that meets the following minimum system requirements: Silverlight-compatible operating system and browser, such as Internet Explorer 6.0 or later Microsoft Silverlight 3.0 or later Planning The following checklist helps you get ready for smooth and trouble-free deployment of ALE. Item Management Server Service account Mail Server Description and Notes It is not recommended to install the management server on standalone computers or domain controllers. When installing NetWrix Framework Service, you must specify a user account (service account in this paper) to access domain controllers in managed domains. For the product to work properly, this account must be a member of the Enterprise Admins group or have the following rights: Unlock account right for more information, see Microsoft KB article 294952. Manage auditing and security log right refer to MSDN at http://msdn.microsoft.com/en-us/library/ms813959.aspx Read access to Security Event Log at domain controllers (for Windows Server 2003 or later) see Microsoft KB article 323076. The Email Notification and Remote Control features require SMTP, POP3 or Microsoft Exchange servers. Ensure that you have all information you need to configure access to these servers. Page 7
Installing Product The product deployment includes installing NetWrix Framework Service, Admin Console and Help Desk Portal. Admin Console is automatically installed when installing NetWrix Framework Service. Installing Service To install Service and Admin Console, perform these steps: 1. Run the installation package ale_setup.msi. The NetWrix Lockout Examiner Setup wizard starts. 2. On the Welcome page, click Next, and follow on-screen instructions to proceed with wizard. 3. On the Service Account page, specify a User account to be used to access domain controllers in managed domains, click Next, and then click Install. This account must be in the Enterprise Admins group or have appropriate rights (see Planning earlier in this paper). 4. On the Completion page, click Finish. Installing Help Desk Portal Help Desk Portal is supported only in ALE Enterprise Edition. To install this component, perform the following steps: 1. Run the installation package ale_web_setup.msi. The NetWrix Lockout Examiner Help Desk Portal Setup wizard starts. 2. On the Welcome page, click Next, and follow on-screen instructions to proceed with wizard. 3. On the Help Desk Portal Parameters page, do the following and click Next: In Web Site and Virtual Directory Name, specify the Web site and virtual directory on local IIS where you want to install Help Desk Portal. In Account Lockout Examiner server, specify DNS name of the computer running Service with which this instance of Help Desk Portal will work. 4. On the Setup Finished page, click Close. Page 8
Default Installation Folders, Virtual Directory, and Startup Shortcuts The product and related components are installed in the following folders: On the management server: %ProgramFiles%\NetWrix\Account Lockout Examiner. Commonly, the default value of %ProgramFiles% is set to C:\Program Files on 32-bit systems, and to C:\Program Files (x86) on 64-bit systems. Help Desk Portal is installed in the ALE virtual directory (Default Web site) in Internet Information Services running on the local computer. The related files are installed into the %ProgramFiles%\NetWrix\Account Lockout Examiner\Web folder. The product installation adds the following shortcuts to the Start menu on the management server, that let you run Admin Console and Help Desk Portal: Start > All Programs > NetWrix > Account Lockout Examiner > Account Lockout Examiner for Admin Console. Start > All Programs > NetWrix Freeware > Account Lockout Examiner > Help Desk Portal for Help Desk Portal. Page 9
Configuring Product This section describes the ALE default settings and explains how to change them if they do not comply with your requirements. Setting Default Value How to Configure Managed Domains The domain where ALE is installed. Configuring List of Managed Domains and Domain Controllers Monitored Domain Controllers PDC emulator Configuring List of Managed Domains and Domain Controllers Email Notification Disabled Configuring Email Notification Remote Control Disabled Configuring Remote Control Settings ALE Administrators Help Desk Operators Local Administrators on the computer where ALE is installed. The NetWrix Account Help Desk group. By default, this group includes Local Administrators and Domain Admins group in the domain where ALE is installed. Assigning Security Roles Assigning Security Roles You can view or modify the product settings using the Settings dialog box provided in Admin Console. To open this dialog box: 1. Start Admin Console (see startup shortcuts in Default Installation Folders, Virtual Directory, and Startup Shortcuts). 2. On the File menu, click Settings. Page 10
Configuring List of Managed Domains and Domain Controllers To modify this list, use the Add and Remove buttons on the Account Lockouts tab in the Settings dialog: By default, in all managed domains, the product monitors only PDC emulator. To specify other domain controllers (DC) to monitor, select the domain of interest, click Edit, and complete the Domain or Domain Controller dialog box: This dialog defines the following elements: Domain: Monitors specific domain using one of these options: All domain controllers: All domain controllers in domain. Only PDC emulator: Only PDC emulator (default option). Use the All domain controllers option sparingly, because this could result in poor performance if network connection to DCs is slow. Domain Controller: Monitors specific domain controller. Page 11
Configuring Email Notification The product can inform Help Desk operators about accounts lockouts. You can configure this option on the Notifications tab in the Settings dialog: To configure Email notification 1. Select Enable notifications. 2. Using Add and Remove, compose list of email recipients you want to receive this notification. 3. Under SMTP Settings, specify information required to connect to SMTP server in your organization. 4. Optionally, to include the Help Desk Portal URL in email message, select the check box under Web Console Settings, and specify that URL in Web console URL. 5. To apply your changes, click OK. Page 12
Configuring Remote Control Settings The Remote Control option allows Help Desk operators to unlock accounts by sending a special email message containing a passcode obtained from IT administrator to specific address. For more information, see Remote Control earlier in this paper. You can configure this option on the Remote Control tab in the Settings dialog box: To configure Remote Control, perform the following steps: 1. Select the Enable remote control check box. 2. In Passcode and Confirm passcode, type and retype the passcode to send to Help Desk operators. 3. From the Mailbox type list, select the type of mailbox (POP3 or Microsoft Exchange Server) that will receive messages from Help Desk. 4. Under Mail Server Settings, specify information required to connect to specified mail server. 5. To apply your changes, click OK. Page 13
Assigning Security Roles You can change the ALE security roles members on the Security tab in the Settings dialog: To change a specific role, perform the following steps: 1. Click Modify next to the role to change. 2. In the Modify Role dialog, modify the role members list using the Add and Remove buttons. 3. To apply your changes, click OK. Page 14
Using Product This chapter is intended for administrators and Help Desk operators using ALE. It describes how to efficiently troubleshoot the account lockout problems using Admin Console and Help Desk Portal. Using Admin Console This section describes the Admin Console main window and explains how to use it to monitor the state of accounts, examine possible reasons of account lockouts and resolve these issues. Overview You can start Admin Console on the management server using its startup shortcut (see Default Installation Folders, Virtual Directory, and Startup Shortcuts). The Admin Console main window is shown in the following screenshot: Using this window, you can: Unlock accounts and reset passwords. Under All accounts, view list of locked accounts and accounts that have been recently unlocked. Under Monitored Domain Controllers, view list of managed domain controllers and their audit and connection statuses. These lists are automatically refreshed every minute. Optionally, you can manually modify the accounts list using Add/Find and Remove. Examine information on possible reasons of account lockouts. Page 15
Examining Account Lockout Reasons Before unlocking an account, it is recommended to examine possible reasons that might cause the account to lock. To view information about account lockout, perform the following steps: 1. From the All accounts list, select the account of interest. 2. On the Action menu, click one of the following commands: Examine: Displays information on all sessions with operations on this account. Examine on: Displays the same information on all sessions on specific computer. Information about work sessions for each account is displayed in a dedicated tab: This tab provides the following elements: Sessions: Lists registered work sessions. Detailed information on the currently selected session is displayed in the lower pane. Examine: Refreshes the Sessions list. Unlock: Unlocks this account. Reset Password: Resets the account password. Close: Closes this tab. Page 16
Unlocking Accounts and Resetting Passwords Once you have determined the account lockout reason and fixed the problem, you can unlock account and optionally reset its password. To unlock account In the product main window, select account, and on the Action menu, click Unlock. To reset password In the product main window, select account, and on the Action menu, click Reset Password. You can also perform these operations by clicking the Unlock or Reset Password buttons beneath the main window. Using Help Desk Portal This section describes the Help Desk Portal main window and explains how to use it to monitor the state of accounts, examine possible reasons of account lockouts and resolve these issues. Accessing Help Desk Portal You can access the portal from any network computer that meets the appropriate system requirements (see Client Computers). To open Help Desk Portal, perform these steps: 1. In Web browser, open the page at http://%help Desk Portal% for example, http://ale.mycompany.com/ale (for more information, see Default Installation Folders, Virtual Directory, and Startup Shortcuts). 2. When prompted, specify a user account used to access the portal. This account must be a member of the product security roles. Page 17
Overview The Help Desk Portal main window is shown in the following screenshot: Using this window, you can: Unlock accounts and reset passwords. View list of currently locked accounts and accounts that have been already unlocked. Examine information on possible reasons of account lockouts. The accounts list is refreshed every minute. Optionally, you can manually modify this list using Add/Find and Remove, or filter it using elements in the Filer area. Examining Account Lockout Reasons Before unlocking an account, it is recommended to examine possible reasons that might cause the account to lock. To view information about account lockout In the Accounts area, click Examine next to account of interest. Information about the most recent work session for selected account is displayed in the same window. To view information on all work sessions, in the newly opened window, click All Operations. Unlocking Accounts and Resetting Passwords Once you have determined the account lockout reason and fixed the problem, you can unlock account and optionally reset its password. To unlock account or reset its password In the portal main window, click Unlock or Reset Password, respectively (next to the account of interest). Page 18