Allowing Limited Security Console Users to View Local Security Solution Passwords

If you've been hearing this, "I have some limited access users that need to be able to use the passwords that Local Security Solution maintains. I keep getting errors like "Unable to discover your essential user data for logging purposes". What changes do we need to make to allow them access?" then this tip's for you, Bob.

In the attempt to extend access for Local Security Solution to a security role in Altiris, some errors were encountered.

The role was given the following privileges:

• Item Tasks --> Show Managed Password, Show Current Password
• Item Tasks - Local Security --> Show Managed User Passwords

And the following item permissions:

Report for LSS Access - Read, Run Reports
Resource Management/Resources/Defaults --> Read Resource Data, Read Resource Association, View Password, Write Resource Data

When logged in as a member of the limited access security role, a right-click is performed on a computer resource to select "Show Managed Password". Instead of seeing the managed password, as an administrative user would see, the following error is displayed, and the associated text below appears in the Notification Server a.log:

Unable to discover your essential user data for logging purposes.

A.log entries:

Process: w3wp.exe (4136)
Thread ID: 7788
Module: AltirisNativeHelper.dll
Source: MSoft.LocalSecurity.Web.Resource.ShowLocalUserPassword.ShowPassword
Description: Unable to log password disclosure ( Unhandled exception. Type=Altiris.NS.Exceptions.AeXResourceNotFoundException Msg=Unable to discover user resource for SID xxxxx....... Aborting User Password disclosure Src=MSoft.LocalSecurity
StackTrace=
at MSoft.LocalSecurity.LocalSecurityPassword.LogDisclosure(LocalSecurityPassword lup, String strRemoteAddress)
at MSoft.LocalSecurity.LocalUserPassword.GetCurrentManagedPasswordLogged(Guid UserGuid, String strRemoteAddress)
at MSoft.LocalSecurity.Web.Resource.ShowLocalUserPassword.ShowPassword(Guid UserGuid)
Inner exception. Type=Altiris.NS.Exceptions.AeXSecurityException Msg=The caller ('xxxxxx\xxxxxxx') does not have the specified permission ('Data Class Read') on the item ('Global Windows Users'). Src=Altiris.NS StackTrace= at Altiris.NS.Security.SecurityMonitor.Demand(ItemPermissionEntryCollection entries)
at Altiris.NS.Security.ItemPermission.Demand()
at Altiris.Resource.ResourceDataTable.DeferredLoad()
at Altiris.Resource.ResourceDataTable.Load(Guid ResourceGuid)
at Altiris.Resource.ResourceDataClass.GetResourceTable(Guid resourceGuid)
at Altiris.Resource.ResourceDataTableCollection.get_Item(Guid dataTableGuid)
at MSoft.Resource.Resources.UserHelper.GetCurrentUserFromSecurityContext()
at MSoft.LocalSecurity.LocalSecurityPassword.LogDisclosure(LocalSecurityPassword lup, String strRemoteAddress) )

Simply add the appropriate permissions and rights as listed below:

1. Read/write access on the GlobalWindowsUser dataclass

2. Have rights for the Item Action (Show Managed Password)

3. Read/Write Resource Data to : User Account Password Disclosure

4. Read Resource Data access to: User Account Password, User Account Password Change, User Account Password Change Request (based on what is required)

That will get you running!