Version 4
Operational requirements
It is important to know that: WinLocal connector uses WinRM. Consequently, WinRM communication should be always enabled between connector server and target computer.
Additionally you should have both .NET frameworks installed: 3.5 and 4.5.1
Service account information:
Service account should be set including your domain name. For example, 'MachineName\serviceAccount'. Connector will perform all operations on behalf of the user, that you specify. Consequently, your service account should have sufficient permissions.
Provisioning identities
WinLocal connector supports working with following identities:
- Users (incuding group memberships)
- Groups
Provisioning users
Principal - Name
| Parameter | Description | Required |
|---|---|---|
| Name | Name of the account. Is the principal property and uniquely identifies user. It should be taken into account that the following chats are not permitted for Name attribute: \ / [ ] “ | < > + = ; , ? * @ | Yes |
| AccountPassword | Password for account. In case of creating user operation is mandatory | Yes, if creating new user |
| Description | Account description | No |
| FullName | Full name of the user object | No |
| HomeDirDrive | Drive of the home directory of the user | No |
| HomeDirectory | Home directory of the user | No |
| Profile | Profile that is used for the user | No |
| Group | Multivalue property. Contains names of the local groups. User will be set to be a member of those local groups. | No |
| Enabled | True if user is enabled or False. (could be also set as 1 and 0) | No |
| PwdCantBeChanged | True if user should not be able to change password or False (could be also set as 1 and 0) | No |
| PwdNoExpiration | True if user password is set to never expire or False. (could be also set as 1 and 0) | No |
| PwdExpired | True if user password should be set to expired or False. (could be also set as 1 and 0) | No |
Synchronization
To run the synchronization, you would need to specify the search query.
Users synchronization
Search query for users looks like:
Where-Object {$_.SchemaClassName -eq 'user'} | Select-Object *
In connector response you would be able to get following parameters:
- ObjectSid
- Name
- AccountDisabled
Groups synchronization
Search query for groups looks like:
Where-Object {$_.SchemaClassName -eq 'group'} | Select-Object *
In connector response you would be able to get following parameters:
- ObjectSid
- Name
- LocalUsers
- DomainUsers
- DomainGroups
Group memberships are stored in 3 different attributes - LocalUsers, DomainUsers, DomainGroups so OpenIAM would know, what exect member type is it.
Troubleshooting
Sometimes when you have issues with pulling certain data from remote server it might be useful to try doing it manually, using WinRM in the similar way like WinLocal connector does it. Tiny script below would pull local groups from remote server:
$computername = 'srvName'$credentials = Get-Credential$remoteResult = Invoke-Command -ComputerName $computername -Credential $credentials -ScriptBlock {$computername = $env:COMPUTERNAME$adsi = [ADSI]"WinNT://$computername"$adsi.Children | Where-Object {$_.SchemaClassName -eq 'group'} | Select-Object *}$remoteResult
Sometimes you may encounter error like:
[*.*.*.*] Connecting to remote server *.*.*.* failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.CategoryInfo: OpenError: (*.*.*.*:String) [], PSRemotingTransportExceptionFullyQualifiedErrorId: WinRMOperationTimeout,PSSessionStateBroken
Error above occures in case WinRM could not be used while connecting to remote server. Solution could be enabling WinRM on a remote computer by running command like:
Enable-PSRemoting –Force
Sometimes you may receive following type of error:
[*.*.*.*] Connecting to remote server *.*.*.* failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified logon session does not exist. It may already have been terminated.Possible causes are:-The user name or password specified are invalid.-Kerberos is used when no authentication method and no user name are specified.-Kerberos accepts domain user names, but not local user names.-The Service Principal Name (SPN) for the remote computer name and port does not exist.-The client and remote computers are in different domains and there is no trust between the two domains.After checking for the above issues, try the following:-Check the Event Viewer for events related to authentication.-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.Note that computers in the TrustedHosts list might not be authenticated.-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.CategoryInfo: OpenError: (*.*.*.*:String) [], PSRemotingTransportExceptionFullyQualifiedErrorId: 1312,PSSessionStateBroken
Such error may mean that you specified service account in wrong format. For example, your service account should contain PC name prefix. In this way service account may look not like 'Administrator', but 'somePC\Administrator'