通过PSM启动MMC管理单元是很普遍的要求。 Cyber​​Ark没有清晰详细的指南来显示如何进行配置。我做了一些研究,发现以下对我有用的步骤。

在PSM服务器上下载并安装AutoIT3

这一步很简单。

在这种情况下,您可能会遇到从PSM服务器启动应用程序的问题,取消注释中的以下行 C:\ Program Files(x86)\ Cyber​​Ark \ PSM \ Hardening \PSMConfigureAppLocker.xml并随后执行PSMConfigureAppLocker.ps1,这已成功完成。

<应用程序名称=“ AutoIt3”类型=“ Exe”路径=“ C:\ Program Files(x86)\ AutoIt3 \ AutoIt3.exe”方法=“发布者” />
<应用程序名称=“ MMC”类型=“ Exe”路径=“ C:\ 视窗 \ System32 \ mmc.exe”方法=“哈希” /><应用程序名称=“记事本”类型=“ Exe”路径=“ C:\ 视窗 \ System32 \ notepad.exe”方法=“哈希” />

创建自己的AutoIt3脚本

克隆的C:\ Program Files(x86)\ Cyber​​Ark \ PSM \ Components \ PSMAutoItDispatcherSkeleton.au3,然后将副本重命名为PSMAutoItDispatcherMMC.au3

在PSMAutoItDispatcherMMC.au3中更改/添加以下内容:

全局常量$ DISPATCHER_NAME =“ Microsoft ADUC”;改变我自己
全局常量$ CLIENT_EXECUTABLE =‘mmc“ c:\ windows \ system32 \ services.msc” -a / computer =”&$ TargetPSMRemoteMachine
全局$ ConnectionClientPID = RunAs($ TargetUsername,$ TargetLogonDomain,$ TargetPassword,2,$ CLIENT_EXECUTABLE)

添加以下内容:

Func FetchSessionProperties();改变我自己

如果(PSMGenericClient_GetSessionProperty(“ LogonDomain”,$ TargetLogonDomain)<>$ PSM_ERROR_SUCCESS)然后 ;添加了CWA
错误(PSMGenericClient_PSMGetLastErrorString())
万一

如果(PSMGenericClient_GetSessionProperty(“ PSMRemoteMachine”,$ TargetPSMRemoteMachine)<>$ PSM_ERROR_SUCCESS)然后 ;添加了CWA
错误(PSMGenericClient_PSMGetLastErrorString())
万一

#AutoIt3Wrapper_UseX64=n
Opt("MustDeclareVars", 1)
AutoItSetOption("WinTitleMatchMode", 3) ; EXACT_MATCH!
AutoItSetOption("WinDetectHiddenText",1)

;============================================================
;             PSM AutoIt Dispatcher Skeleton
;             ------------------------------
;
; Use this skeleton to create your own
; connection components integrated with the PSM.
; Areas you may want to modify are marked
; with the string "CHANGE_ME".
;
; Created : April 2013
; Cyber-Ark 软件 Ltd.
;============================================================
#include "PSMGenericClientWrapper.au3"

;=======================================
; Consts & Globals
;=======================================
Global Const $DISPATCHER_NAME         = "Microsoft Services" ; CHANGE_ME
;全局常量$ CLIENT_EXECUTABLE                                 = 'mmc "C:\Windows\System32\services.msc"'
Global Const $ERROR_MESSAGE_TITLE          = "PSM " & $DISPATCHER_NAME & " Dispatcher error message"
Global Const $LOG_MESSAGE_PREFIX         = $DISPATCHER_NAME & " Dispatcher - "

Global $TargetUsername
Global $TargetPassword
Global $TargetAddress
Global $TargetLogonDomain
Global$ TargetPSMRemoteMachine
;全局常量$ CLIENT_EXECUTABLE         = 'mmc "c:\windows\system32\services.msc" -a /computer=' &$ TargetPSMRemoteMachine
Global $ConnectionClientPID = 0

;=======================================
; Code
;=======================================
Exit Main()

;=======================================
; Main
;=======================================
Func Main()

 ; Init PSM Dispatcher utils wrapper
 ToolTip ("Initializing...")
 if (PSMGenericClient_Init() <>$ PSM_ERROR_SUCCESS)然后
  错误(PSMGenericClient_PSMGetLastErrorString())
 万一

 LogWrite("successfully initialized Dispatcher Utils Wrapper")

 ; Get the dispatcher parameters
 FetchSessionProperties()
全局常量$ CLIENT_EXECUTABLE         = 'mmc "c:\windows\system32\services.msc" -a /computer=' &$ TargetPSMRemoteMachine
$ConnectionClientPID = RunAs($TargetUsername,$TargetLogonDomain,$TargetPassword,2,$CLIENT_EXECUTABLE,"",@SW_SHOWMAXIMIZED)
 LogWrite("mapping local drives")
 if (PSMGenericClient_MapTSDrives() <>$ PSM_ERROR_SUCCESS)然后
  错误(PSMGenericClient_PSMGetLastErrorString())
 万一

 LogWrite("starting client application")
 ToolTip ("Starting " & $DISPATCHER_NAME & "...")

 ; ------------------
 ; Handle login here! ; CHANGE_ME
 ; ------------------

 ; Execute RunAs command to run ssms under the PSM Shdaow User's profile, but pass the network credentials of
    ; the target (specified by the "2" logon type)

 if ($ConnectionClientPID == 0) Then
  Error(StringFormat("Failed to execute process [%s]", $CLIENT_EXECUTABLE, @error))
 万一

 ; Send PID to PSM as early as possible so recording/monitoring can begin
  LogWrite("sending PID to PSM")
  if (PSMGenericClient_SendPID($ConnectionClientPID) <>$ PSM_ERROR_SUCCESS)然后
   错误(PSMGenericClient_PSMGetLastErrorString())
  万一

 ; Terminate PSM Dispatcher utils wrapper
 LogWrite("Terminating Dispatcher Utils Wrapper")
 PSMGenericClient_Term()

 Return $PSM_ERROR_SUCCESS
EndFunc

;==================================
; Functions
;==================================
; #FUNCTION# ====================================================================================================================
; Name...........: Error
; Description ...: An exception handler - displays an error message and terminates the dispatcher
; Parameters ....: $ErrorMessage - Error message to display
;        $Code    - [Optional] Exit error code
; ===============================================================================================================================
Func Error($ErrorMessage, $Code = -1)

 ; If the dispatcher utils DLL was already initialized, write an error log message and terminate the wrapper
 if (PSMGenericClient_IsInitialized()) Then
  LogWrite($ErrorMessage, True)
  PSMGenericClient_Term()
 万一

 Local $MessageFlags = BitOr(0, 16, 262144) ; 0=OK button, 16=Stop-sign icon, 262144=MsgBox has top-most attribute set

 MsgBox($MessageFlags, $ERROR_MESSAGE_TITLE, $ErrorMessage)

 ; If the connection component was already invoked, terminate it
 if ($ConnectionClientPID <> 0) Then
  ProcessClose($ConnectionClientPID)
  $ConnectionClientPID = 0
 万一

 Exit $Code
EndFunc

; #FUNCTION# ====================================================================================================================
; Name...........: LogWrite
; Description ...: Write a PSMWinSCPDispatcher log message to standard PSM log file
; Parameters ....: $sMessage - [IN] The message to write
;                  $LogLevel - [Optional] [IN] Defined if the message should be handled as an error message or as a trace messge
; Return values .: $PSM_ERROR_SUCCESS - Success, otherwise error - Use PSMGenericClient_PSMGetLastErrorString for details.
; ===============================================================================================================================
Func LogWrite($sMessage, $LogLevel = $LOG_LEVEL_TRACE)
 Return PSMGenericClient_LogWrite($LOG_MESSAGE_PREFIX & $sMessage, $LogLevel)
EndFunc

; #FUNCTION# ====================================================================================================================
; Name...........: PSMGenericClient_GetSessionProperty
; Description ...: Fetches properties required for the session
; Parameters ....: None
; Return values .: None
; ===============================================================================================================================
Func FetchSessionProperties();改变我自己
 if (PSMGenericClient_GetSessionProperty("Username", $TargetUsername) <>$ PSM_ERROR_SUCCESS)然后
  错误(PSMGenericClient_PSMGetLastErrorString())
 万一

 if (PSMGenericClient_GetSessionProperty("Password", $TargetPassword) <>$ PSM_ERROR_SUCCESS)然后
  错误(PSMGenericClient_PSMGetLastErrorString())
 万一

 if (PSMGenericClient_GetSessionProperty("Address", $TargetAddress) <>$ PSM_ERROR_SUCCESS)然后
  错误(PSMGenericClient_PSMGetLastErrorString())
 万一

 if (PSMGenericClient_GetSessionProperty("LogonDomain", $TargetLogonDomain) <>$ PSM_ERROR_SUCCESS)然后  ;添加了CWA
  错误(PSMGenericClient_PSMGetLastErrorString())
 万一

 if (PSMGenericClient_GetSessionProperty("PSMRemoteMachine",$ TargetPSMRemoteMachine) <>$ PSM_ERROR_SUCCESS)然后  ;添加了CWA
  错误(PSMGenericClient_PSMGetLastErrorString())
 万一

EndFunc


创建一个新的连接组件

从行政部门> Options >连接组件
创建新的PSM连接组件,方法是 克隆“ PSM-VNCClientSample”以创建自定义组件并设置以下选项:

ClientDispatcher: “ C:\ Program Files(x86)\ AutoIt3 \ AutoIt3.exe”“ {PSMComponentsFolder} \ PSMservices.au3”“ {PSMComponentsFolder}”

LockApplicationWindow> MainWindowClass: 设置为空以替换vncviewer


将此新的PSM连接组件分配给Platform

在平台中设置新的组件名称,以便它可以出现在下拉列表中。不要忘记通过从PSM-RDP复制/粘贴来添加新的替代用户参数。 




创建一个帐户进行测试

您可能会遇到不同类型的消息,但是请检查配置和日志,应该没问题。 
当我通过Cyber​​Ark运行它时,出现以下错误: 无法执行进程[mmc“ D:\ Applications \ services.msc”]
PSMSR605E
PSMSR606E
在PSM服务器上记录以下应用程序事件:
视窗登录过程未能生成用户应用程序。应用程序名称:sethc.exe。命令行参数:sethc.exe 11。
PSMSR864E [77e07d4c-d841-4e40-83a3-12cd16f971c9]等待PSMMessageAlert结束时发生故障。额外的详细信息:3.原因:PSMSR282E会话组件之一发生故障,因此该会话将关闭。
要获得更多帮助,请与系统管理员联系。
更多信息:进程[客户端调度程序]失败。会话[77e07d4c-d841-4e40-83a3-12cd16f971c9]。
PSMSR126E [77e07d4c-d841-4e40-83a3-12cd16f971c9]处理会话时发生故障。 PSMSR605E [77e07d4c-d841-4e40-83a3-12cd16f971c9]等待调度程序进行通信时发生错误(错误详细信息:[PSMSR606E [77e07d4c-d841-4e40-83a3-12cd16f971c9]等待特定组件结束时发生超时]) (代码:-1,-1)
PSMGenericCLientWrapper错误:无法获取调度程序参数
(错误:DLL函数GetsessionPropertyBufferLength失败(0))

参考文献

通过 约翰

发表评论