To install the Password Capture Agent PowerShell module
-
Copy the OneIM-PasswordCaptureAgentMgmt folder, including content, to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ - the systems global Password Capture Agent PowerShell module path.
- OR -
-
Copy the OneIM-PasswordCaptureAgentMgmt folder to any path on your host, and add this path to the environment variable PSModulePath.
Before installing Password Capture Agent on a domain controller:
-
Ensure that the web service is installed and configured.
-
Ensure that the certificate to decrypt passwords with is installed with a private key in the LocalMachine\My\ certificate store on the server hosting the web service.
-
Ensure that the certificate to encrypt passwords with is installed with a private key in the LocalMachine\My\ certificate store on all domain controllers.
You should have prepared:
-
The thumbprint of the certificate for password encryption, for example:
1800b62e8cf19d1c4bcdcd2b6e435c3c85e04188
-
The URL to the web service, for example:
https://<servername.domain.com>/Appserver/
Using the Password Capture Agent PowerShell module to install Password Capture Agent on a specific domain controller
-
Sign on to the workstation where the Password Capture Agent PowerShell module is installed as a member of the Domain Admins group.
-
Copy One Identity Manager Password Capture Agent.msi to a network share that can be accessed by you on all domain controllers, for example, \\StorageServer\SHARE\One Identity Manager Password Capture Agent.msi.
-
Open an elevated PowerShell prompt.
-
Run the following command:
Import-Module OneIM-PasswordCaptureAgentMgmt
-
Run the following commands to define your configuration profile:
$ConfigProfile = New-PCAConfigProfile
$ConfigProfile['WebClient.WebServiceURL'].ConfigValue = 'https://<server.domain.com>/AppServer/'
$ConfigProfile['WebClient.WebServiceType'].ConfigValue = 'REST'
$ConfigProfile['Backend.Credential'].ConfigValue = Get-Credential viCaptureAgent
$ConfigProfile['Backend.CertificateThumbprint'].ConfigValue = '1800b62e8cf19d1c4bcdcd2b6e435c3c85e04188'
-
Run the following command:
Install-PasswordCaptureAgent`
-ComputerName "DC01.DEMOCORP.COM"`
-Setup "\\StorageServer\SHARE\One Identity Manager Password Capture Agent.msi"`
-ConfigurationProfile $ConfigProfile
By running this command, you install the Password Capture Agent on DC01.DEMOCORP.COM. The installation runs off a network location, and the WebServiceURL parameter and the CertificateThumbprint parameter are passed to the setup.
Because the -Restart switch is not specified, the domain controllers do not automatically reboot after successful installation.
Using the Password Capture Agent PowerShell module to install Password Capture Agent on all domain controllers
-
Sign on to workstation where the Password Capture Agent PowerShell module is installed as a member of the Domain Admins group.
-
Copy One Identity Manager Password Capture Agent.msi to a network share that can be accessed by you on all domain controllers, for example, \\StorageServer\SHARE\One Identity Manager Password Capture Agent.msi.
-
Open an elevated PowerShell prompt.
-
Run the following command:
Import-Module OneIM-PasswordCaptureAgentMgmt
-
Run the following commands to define your configuration profile:
$ConfigProfile = New-PCAConfigProfile
$ConfigProfile['WebClient.WebServiceURL'].ConfigValue = 'https://<server.domain.com>/AppServer/'
$ConfigProfile['WebClient.WebServiceType'].ConfigValue = 'REST'
$ConfigProfile['Backend.Credential'].ConfigValue = Get-Credential viCaptureAgent
$ConfigProfile['Backend.CertificateThumbprint'].ConfigValue = '1800b62e8cf19d1c4bcdcd2b6e435c3c85e04188'
-
Run the following command:
Get-DomainController | Install-PasswordCaptureAgent`
-Setup \\StorageServer\SHARE\One Identity Manager Password Capture Agent.msi`
-ConfigurationProfile $ConfigProfile
-Restart
By running this command, you receive a list of domain controllers and sequentially start the install on each one. The install runs off a network location, and the WebServiceURL parameter and the CertificateThumbprint parameter are passed to the setup.
Because the -Restart switch is specified, the domain controllers automatically reboot after successful installation.
The Password Capture Agent PowerShell module includes functions to create, show, get, set, import, and export a Password Capture Agent configuration profile.
NOTE: The Show-PCAConfigProfile function may also be used to get an overview of all parameters and read their descriptions or destinations.
Getting and setting the configuration profile is only possible if the Password Capture Agent is installed and running. It is not possible to access the secured configuration parameters without it.
Example: Create new profile and edit it
Import-Module OneIM-PasswordCaptureAgentMgmt
$ConfigProfile = New-PCAConfigProfile
$ConfigProfile['WebClient.WebServiceURL'].ConfigValue = 'https://<server.domain.com>/AppServer/'
$ConfigProfile['WebClient.AuthenticationType'].ConfigValue = 'WindowsIntegrated'
$ConfigProfile['Backend.AuthenticationModule'].ConfigValue = 'DialogUser'
$ConfigProfile['Backend.Credential'].ConfigValue = Get-Credential viCaptureAgent
$ConfigProfile['Backend.CertificateThumbprint'].ConfigValue = '0123456789ABCED0123456789ABCED0123456789'
Example: Read current profile and show it using GUI
Import-Module OneIM-PasswordCaptureAgentMgmt
$ConfigProfile = Get-PCAConfigProfile
Show-PCAConfigProfile -ConfigurationProfile $ConfigProfile
Example: Read current profile and export it to XML
Import-Module OneIM-PasswordCaptureAgentMgmt
$ConfigProfile = Get-PCAConfigProfile
Export-PCAConfigProfile -ConfigurationProfile $ConfigProfile -FilePath C:\tmp\CurrentPCAConfig.xml
Example: Import profile, edit, and set it
Import-Module OneIM-PasswordCaptureAgentMgmt
$ConfigProfile = Import-PCAConfigProfile -Filepath C:\tmp\CurrentPCAConfig.xml
$ConfigProfile['Backend.CertificateThumbprint'].ConfigValue = '0123456789ABCED0123456789ABCED0123456780'
Set-PCAConfigProfile -ConfigurationProfile $ConfigProfile
Example: Import profile and install Password Capture Agent
Import-Module OneIM-PasswordCaptureAgentMgmt
$ConfigProfile = Import-PCAConfigProfile -Filepath C:\CurrentPCAConfig.xml
Install-PasswordCaptureAgent`
–LogFile <Full UNC path to the log file on the remote server>`
-Setup <UNC path for Password Capture Agent MSI>`
-ConfigurationProfile $ConfigProfile
Example: Change parts of the configuration
Import-Module OneIM-PasswordCaptureAgentMgmt
$ConfigProfile = Get-PCAConfigProfile
$ConfigProfile['Backend.Credential'].ConfigValue = Get-Credential viCaptureAgent
Set-PCAConfigProfile -ConfigurationProfile $ConfigProfile
Example: Change parts of the configuration on all domain controllers
Get-DomainController | Foreach-Object {
$ConfigurationProfile = Get-PCAConfigProfile -ComputerName $_
$ConfigurationProfile['Backend.CertificateThumbprint'].ConfigValue = '1800b62e8cf19d1c4bcdcd2b6e435c3c85e04188'
Set-PCAConfigProfile -ComputerName $_ -ConfigurationProfile $ConfigurationProfile -RestartService
}
I am unable to import the Password Capture Agent PowerShell module.
PowerShell has an execution policy to restrict what may run. For more information about troubleshooting, see the Microsoft documentation (About Remote Troubleshooting).
I am unable to establish a connection to the domain controllers.
The connection to the domain controllers requires PowerShell remoting to be configured and enabled. The firewall may also block this connection by default. For more information about troubleshooting, see the Microsoft documentation (About Remote Troubleshooting).
I am experiencing problems installing the Password Capture Agent. Is there a way to get a log file?
Yes. Both Install-PasswordCaptureAgent and Uninstall-PasswordCaptureAgent have parameters that allow you to specify a log file and if logging should be verbose. The log file will be used by msiexec.exe.
Example:
Uninstall-PasswordCaptureAgent`
-ComputerName "DC01.DEMOCORP.COM"
-LogFile \\StorageServer\SHARE\DC01.uninstall.log`
-LogVerbose
Example:
Install-PasswordCaptureAgent`
-ComputerName "DC01.DEMOCORP.COM"`
-LogFile \\StorageServer\SHARE\DC01.install.log`
-LogVerbose`
-Setup "\\StorageServer\SHARE\One Identity Manager Password Capture Agent.msi"
Is it possible to automatically reboot the domain controllers after installing/uninstalling Password Capture Agent?
Yes. Both Install-PasswordCaptureAgent and Uninstall-PasswordCaptureAgent have a switch called restart that will do exactly this. It is $False by default.
Example:
Uninstall-PasswordCaptureAgent -ComputerName "DC01.DEMOCORP.COM" -Reboot
Example:
Uninstall-PasswordCaptureAgent -ComputerName "DC01.DEMOCORP.COM" -Reboot:$True