search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
295 stars 91 forks source link

Set-PASUser is not setting the password #419

Closed DougGalan closed 2 years ago

DougGalan commented 2 years ago

Describe the issue When trying to use the Set-PASUser command to set a new password for an AppProvider user it doesn't work

To Reproduce Steps to reproduce the behavior:

  1. $password = ConvertTo-SecureString -String "@PHmw*ArPEc" -AsPlainText -Force
  2. Set-PASUser -id 95 -username Prov_Test -NewPassword $password -userType AppProvider -Location \Application

The above lines are the ones that I'm running obviously after authenticating and then when I go to the server and reset the cred file by running the CreateCredFile.exe utility, the agent fails due to an authentication error.

Expected behavior I would expect the user to get in sync like when resetting the password manually through PrivateArk Client.

Your Environment Include relevant details about your environment

Additional context Add any other context about the problem here.

pspete commented 2 years ago

Hi @DougGalan

Is this something that also occurs outside the module? You can confirm with the following example code:

$ws = Get-PASSession
$url = "$($ws.BaseURI)/api/Users/95"
$body = [PSCustomObject]@{
    "NewPassword"="@PHmw*ArPEc"
    "username"="Prov_Test"
    "Location"="\Application"
    "userType"="AppProvider"
} | ConvertTo-Json

Invoke-RestMethod -Method PUT -Body $body -Uri $url -WebSession $($ws.WebSession) -ContentType "application/json"

Is the location specified correct? (i.e. you have the provider user in the \Application location and not the default \Applications location?). Believe the when setting a new password like this, the user will also be set to "Must change password at next logon"; the ChangePassOnNextLogon parameter can be specified to control this:

Set-PASUser -id 95 -username Prov_Test -NewPassword $password -userType AppProvider -Location \Applications -ChangePassOnNextLogon $false

The simplest option may just be to opt to use the Set-PASUserPassword command:

Set-PASUserPassword -id 95 -NewPassword $password

Let us know how you get on.

DougGalan commented 2 years ago

Hi,

Thank you so much for your prompt reply. The Set-PASUserPassword -id 95 -NewPassword $password worked.

I really appreciate your help.

Thank you, Douglas Galan

On Wed, Aug 24, 2022 at 8:03 AM Pete Maan @.***> wrote:

Hi @DougGalan https://github.com/DougGalan

Is this something that also occurs outside the module? You can confirm with the following example code:

$ws = Get-PASSession$url = "$($ws.BaseURI)/api/Users/95"$body = [PSCustomObject]@{ @.****ArPEc" "username"="Prov_Test" "Location"="\Application" "userType"="AppProvider" } | ConvertTo-Json Invoke-RestMethod -Method PUT -Body $body -Uri $url -WebSession $($ws.WebSession) -ContentType "application/json"

Is the location specified correct? (i.e. you have the provider user in the \Application location and not the default \Applications location?). Believe the when setting a new password like this, the user will also be set to "Must change password at next logon"; the ChangePassOnNextLogon parameter can be specified to control this:

Set-PASUser -id 95 -username Prov_Test -NewPassword $password -userType AppProvider -Location \Applications -ChangePassOnNextLogon $false

The simplest option may just be to opt to use the Set-PASUserPassword command:

Set-PASUserPassword -id 95 -NewPassword $password

Let us know how you get on.

— Reply to this email directly, view it on GitHub https://github.com/pspete/psPAS/issues/419#issuecomment-1225697365, or unsubscribe https://github.com/notifications/unsubscribe-auth/APYIIDYLHXHMTOGGSMPDJRDV2YMSHANCNFSM57NH3YHA . You are receiving this because you were mentioned.Message ID: @.***>