通过PSM启动MMC管理单元是很普遍的要求。 CyberArk没有清晰详细的指南来显示如何进行配置。我做了一些研究,发现以下对我有用的步骤。
在PSM服务器上下载并安装AutoIT3
这一步很简单。
在这种情况下,您可能会遇到从PSM服务器启动应用程序的问题,取消注释中的以下行 C:\ Program Files(x86)\ CyberArk \ PSM \ Hardening \PSMConfigureAppLocker.xml并随后执行PSMConfigureAppLocker.ps1,这已成功完成。
<应用程序名称=“ AutoIt3”类型=“ Exe”路径=“ C:\ Program Files(x86)\ AutoIt3 \ AutoIt3.exe”方法=“发布者” />
<应用程序名称=“ MMC”类型=“ Exe”路径=“ C:\ 视窗 \ System32 \ mmc.exe”方法=“哈希” /><应用程序名称=“记事本”类型=“ Exe”路径=“ C:\ 视窗 \ System32 \ notepad.exe”方法=“哈希” />
<应用程序名称=“ MMC”类型=“ Exe”路径=“ C:\ 视窗 \ System32 \ mmc.exe”方法=“哈希” /><应用程序名称=“记事本”类型=“ Exe”路径=“ C:\ 视窗 \ System32 \ notepad.exe”方法=“哈希” />
创建自己的AutoIt3脚本
克隆的C:\ Program Files(x86)\ CyberArk \ PSM \ Components \ PSMAutoItDispatcherSkeleton.au3,然后将副本重命名为PSMAutoItDispatcherMMC.au3
在PSMAutoItDispatcherMMC.au3中更改/添加以下内容:
全局常量$ DISPATCHER_NAME =“ Microsoft ADUC”;改变我自己
全局常量$ CLIENT_EXECUTABLE =‘mmc“ c:\ windows \ system32 \ services.msc” -a / computer =”&$ TargetPSMRemoteMachine
全局$ ConnectionClientPID = RunAs($ TargetUsername,$ TargetLogonDomain,$ TargetPassword,2,$ CLIENT_EXECUTABLE)
添加以下内容:
Func FetchSessionProperties();改变我自己
如果(PSMGenericClient_GetSessionProperty(“ LogonDomain”,$ TargetLogonDomain)<>$ PSM_ERROR_SUCCESS)然后 ;添加了CWA
错误(PSMGenericClient_PSMGetLastErrorString())
万一
如果(PSMGenericClient_GetSessionProperty(“ PSMRemoteMachine”,$ TargetPSMRemoteMachine)<>$ PSM_ERROR_SUCCESS)然后 ;添加了CWA
错误(PSMGenericClient_PSMGetLastErrorString())
万一
#AutoIt3Wrapper_UseX64=n
Opt("MustDeclareVars", 1)
AutoItSetOption("WinTitleMatchMode", 3) ; EXACT_MATCH!
AutoItSetOption("WinDetectHiddenText",1)
;============================================================
; PSM AutoIt Dispatcher Skeleton
; ------------------------------
;
; Use this skeleton to create your own
; connection components integrated with the PSM.
; Areas you may want to modify are marked
; with the string "CHANGE_ME".
;
; Created : April 2013
; Cyber-Ark 软件 Ltd.
;============================================================
#include "PSMGenericClientWrapper.au3"
;=======================================
; Consts & Globals
;=======================================
Global Const $DISPATCHER_NAME = "Microsoft Services" ; CHANGE_ME
;全局常量$ CLIENT_EXECUTABLE = 'mmc "C:\Windows\System32\services.msc"'
Global Const $ERROR_MESSAGE_TITLE = "PSM " & $DISPATCHER_NAME & " Dispatcher error message"
Global Const $LOG_MESSAGE_PREFIX = $DISPATCHER_NAME & " Dispatcher - "
Global $TargetUsername
Global $TargetPassword
Global $TargetAddress
Global $TargetLogonDomain
Global$ TargetPSMRemoteMachine
;全局常量$ CLIENT_EXECUTABLE = 'mmc "c:\windows\system32\services.msc" -a /computer=' &$ TargetPSMRemoteMachine
Global $ConnectionClientPID = 0
;=======================================
; Code
;=======================================
Exit Main()
;=======================================
; Main
;=======================================
Func Main()
; Init PSM Dispatcher utils wrapper
ToolTip ("Initializing...")
if (PSMGenericClient_Init() <>$ PSM_ERROR_SUCCESS)然后
错误(PSMGenericClient_PSMGetLastErrorString())
万一
LogWrite("successfully initialized Dispatcher Utils Wrapper")
; Get the dispatcher parameters
FetchSessionProperties()
全局常量$ CLIENT_EXECUTABLE = 'mmc "c:\windows\system32\services.msc" -a /computer=' &$ TargetPSMRemoteMachine
$ConnectionClientPID = RunAs($TargetUsername,$TargetLogonDomain,$TargetPassword,2,$CLIENT_EXECUTABLE,"",@SW_SHOWMAXIMIZED)
LogWrite("mapping local drives")
if (PSMGenericClient_MapTSDrives() <>$ PSM_ERROR_SUCCESS)然后
错误(PSMGenericClient_PSMGetLastErrorString())
万一
LogWrite("starting client application")
ToolTip ("Starting " & $DISPATCHER_NAME & "...")
; ------------------
; Handle login here! ; CHANGE_ME
; ------------------
; Execute RunAs command to run ssms under the PSM Shdaow User's profile, but pass the network credentials of
; the target (specified by the "2" logon type)
if ($ConnectionClientPID == 0) Then
Error(StringFormat("Failed to execute process [%s]", $CLIENT_EXECUTABLE, @error))
万一
; Send PID to PSM as early as possible so recording/monitoring can begin
LogWrite("sending PID to PSM")
if (PSMGenericClient_SendPID($ConnectionClientPID) <>$ PSM_ERROR_SUCCESS)然后
错误(PSMGenericClient_PSMGetLastErrorString())
万一
; Terminate PSM Dispatcher utils wrapper
LogWrite("Terminating Dispatcher Utils Wrapper")
PSMGenericClient_Term()
Return $PSM_ERROR_SUCCESS
EndFunc
;==================================
; Functions
;==================================
; #FUNCTION# ====================================================================================================================
; Name...........: Error
; Description ...: An exception handler - displays an error message and terminates the dispatcher
; Parameters ....: $ErrorMessage - Error message to display
; $Code - [Optional] Exit error code
; ===============================================================================================================================
Func Error($ErrorMessage, $Code = -1)
; If the dispatcher utils DLL was already initialized, write an error log message and terminate the wrapper
if (PSMGenericClient_IsInitialized()) Then
LogWrite($ErrorMessage, True)
PSMGenericClient_Term()
万一
Local $MessageFlags = BitOr(0, 16, 262144) ; 0=OK button, 16=Stop-sign icon, 262144=MsgBox has top-most attribute set
MsgBox($MessageFlags, $ERROR_MESSAGE_TITLE, $ErrorMessage)
; If the connection component was already invoked, terminate it
if ($ConnectionClientPID <> 0) Then
ProcessClose($ConnectionClientPID)
$ConnectionClientPID = 0
万一
Exit $Code
EndFunc
; #FUNCTION# ====================================================================================================================
; Name...........: LogWrite
; Description ...: Write a PSMWinSCPDispatcher log message to standard PSM log file
; Parameters ....: $sMessage - [IN] The message to write
; $LogLevel - [Optional] [IN] Defined if the message should be handled as an error message or as a trace messge
; Return values .: $PSM_ERROR_SUCCESS - Success, otherwise error - Use PSMGenericClient_PSMGetLastErrorString for details.
; ===============================================================================================================================
Func LogWrite($sMessage, $LogLevel = $LOG_LEVEL_TRACE)
Return PSMGenericClient_LogWrite($LOG_MESSAGE_PREFIX & $sMessage, $LogLevel)
EndFunc
; #FUNCTION# ====================================================================================================================
; Name...........: PSMGenericClient_GetSessionProperty
; Description ...: Fetches properties required for the session
; Parameters ....: None
; Return values .: None
; ===============================================================================================================================
Func FetchSessionProperties();改变我自己
if (PSMGenericClient_GetSessionProperty("Username", $TargetUsername) <>$ PSM_ERROR_SUCCESS)然后
错误(PSMGenericClient_PSMGetLastErrorString())
万一
if (PSMGenericClient_GetSessionProperty("Password", $TargetPassword) <>$ PSM_ERROR_SUCCESS)然后
错误(PSMGenericClient_PSMGetLastErrorString())
万一
if (PSMGenericClient_GetSessionProperty("Address", $TargetAddress) <>$ PSM_ERROR_SUCCESS)然后
错误(PSMGenericClient_PSMGetLastErrorString())
万一
if (PSMGenericClient_GetSessionProperty("LogonDomain", $TargetLogonDomain) <>$ PSM_ERROR_SUCCESS)然后 ;添加了CWA
错误(PSMGenericClient_PSMGetLastErrorString())
万一
if (PSMGenericClient_GetSessionProperty("PSMRemoteMachine",$ TargetPSMRemoteMachine) <>$ PSM_ERROR_SUCCESS)然后 ;添加了CWA
错误(PSMGenericClient_PSMGetLastErrorString())
万一
EndFunc
创建一个新的连接组件
从行政部门> Options >连接组件
创建新的PSM连接组件,方法是 克隆“ PSM-VNCClientSample”以创建自定义组件并设置以下选项:
ClientDispatcher: “ C:\ Program Files(x86)\ AutoIt3 \ AutoIt3.exe”“ {PSMComponentsFolder} \ PSMservices.au3”“ {PSMComponentsFolder}”
LockApplicationWindow> MainWindowClass: 设置为空以替换vncviewer
将此新的PSM连接组件分配给Platform
在平台中设置新的组件名称,以便它可以出现在下拉列表中。不要忘记通过从PSM-RDP复制/粘贴来添加新的替代用户参数。
创建一个帐户进行测试
您可能会遇到不同类型的消息,但是请检查配置和日志,应该没问题。
当我通过CyberArk运行它时,出现以下错误: 无法执行进程[mmc“ D:\ Applications \ services.msc”]
PSMSR605E
PSMSR606E
PSMSR606E
在PSM服务器上记录以下应用程序事件:
视窗登录过程未能生成用户应用程序。应用程序名称:sethc.exe。命令行参数:sethc.exe 11。
PSMSR864E [77e07d4c-d841-4e40-83a3-12cd16f971c9]等待PSMMessageAlert结束时发生故障。额外的详细信息:3.原因:PSMSR282E会话组件之一发生故障,因此该会话将关闭。
要获得更多帮助,请与系统管理员联系。
更多信息:进程[客户端调度程序]失败。会话[77e07d4c-d841-4e40-83a3-12cd16f971c9]。
PSMSR126E [77e07d4c-d841-4e40-83a3-12cd16f971c9]处理会话时发生故障。 PSMSR605E [77e07d4c-d841-4e40-83a3-12cd16f971c9]等待调度程序进行通信时发生错误(错误详细信息:[PSMSR606E [77e07d4c-d841-4e40-83a3-12cd16f971c9]等待特定组件结束时发生超时]) (代码:-1,-1)
PSMGenericCLientWrapper错误:无法获取调度程序参数
(错误:DLL函数GetsessionPropertyBufferLength失败(0))
