Preparation
Before you begin, you must:
Know the name of each Windows server where Bravura Security Fabric performs operations.
Create an administrative account and a test account on each server.
Create at least one template account.
Prepare each Windows server to be able to run commands.
Configuring a target system administrator
Bravura Security Fabric uses a designated account (for example, psadmin) on the Windows server target system to perform operations. The target system administrator must belong to the local Administrators group and have sufficient privileges to reset an account password without being blocked by UAC.
When temporary group membership access ( Bravura Security Fabric 8.2+) is configured, ensure that the target system administrator is a domain account. Alternatively, system credentials can be used.
Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .
Creating a template account on Windows servers / workstations
Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts on Windows servers and workstations. This section describes how to create a Windows Server 2008 local template account (without Active Directory). See your Windows systems administrator or documentation for more information.
On the Windows server:
Select Start > All programs > Administrative Tools > Computer Management.
Select System Tools > Local Users and Groups.
Right click on the Users folder and select New User.
Type the template account’s User name, Password and Confirm password.
Set additional parameters as you require.
Click Create and then Close.
Note
It is recommended that you do not add template accounts to Bravura Security Fabric -managed groups. Managed group memberships should be handled by including them in roles.
Defining properties
By default, Bravura Security Fabric copies many properties (attributes) when creating a new user.
To define additional properties for the template account:
Open the Users folder and locate the template user.
Right click on the template account and select Properties.
Select the Profile tab and configure a user profile path, logon script name, or home directory path.
Configure other properties as you require.
Click OK to close the window.
Close the window.
Preparing Windows servers / workstations for run command operations via account set access request
The (agtnt) connector can execute remote PowerShell scripts via an account set access check-out on a Windows server or workstation. Additional preparation is required on both the Bravura Security Fabric and the Windows target system, as described in this section.
Bravura Security Fabric server
To prepare the Bravura Security Fabric server, execute the following PowerShell commands on the server:
Note
Ensure you launch Windows PowerShell as an Administrator.
Ensure the Windows Remote Management service (WinRM) is running:
start-service winrm
Set the execution policy and permissions.
Set-ExecutionPolicy RemoteSigned -Force Set-Item wsman:\\localhost\\Client\\TrustedHosts -value *
Windows server /workstation target system
To prepare the Windows NT target:
Ensure the network connection type is set to either Domain or Private.
Execute the following PowerShell commands on the target.
Note
Ensure you launch Windows PowerShell as an Administrator.
Ensure the Windows Remote Management service is running:
start-service winrm
Allow remote administration:
Enable-PSRemoting -Force
Troubleshooting
If the connector returns an Access Denied error message when a user attempts to run a command from Bravura Security Fabric , you need to grant the account running the commands "Execute Methods" in Windows WMI.
If you receive the error message 0x80004027-CO_E_CLASS_DISABLED see the following: