Item Tasks --> Show Managed Password, Show Current Password
Item Tasks - Local Security --> Show Managed User Passwords
And the following item permissions:
Report for LSS Access - Read, Run Reports
Resource Management/Resources/Defaults --> Read Resource Data, Read Resoucre Association, View Passord, Write Resource Data
When logged in as a member of the limited access security role, a right-click is performed on a computer resource to select "Show Managed Password". Instead of seeing the managed password, as an NS Console administrative user would see, the following error is displayed, and the associated text below appears in the Notification Server a.log:
Unable to discover your essential user data for logging purposes.
Process: w3wp.exe (4136)
Thread ID: 7788
Description: Unable to log password disclosure ( Unhandled exception. Type=Altiris.NS.Exceptions.AeXResourceNotFoundException Msg=Unable to discover user resource for SID x-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxx. Aborting User Password disclosure Src=MSoft.LocalSecurity
at MSoft.LocalSecurity.LocalSecurityPassword.LogDisclosure(LocalSecurityPassword lup, String strRemoteAddress)
at MSoft.LocalSecurity.LocalUserPassword.GetCurrentManagedPasswordLogged(Guid UserGuid, String strRemoteAddress)
at MSoft.LocalSecurity.Web.Resource.ShowLocalUserPassword.ShowPassword(Guid UserGuid)
Inner exception. Type=Altiris.NS.Exceptions.AeXSecurityException Msg=The caller ('xxxxx\xxxxx') does not have the specified permission ('Data Class Read') on the item ('Global Windows Users'). Src=Altiris.NS StackTrace= at Altiris.NS.Security.SecurityMonitor.Demand(ItemPermissionEntryCollection entries)
at Altiris.Resource.ResourceDataTable.Load(Guid ResourceGuid)
at Altiris.Resource.ResourceDataClass.GetResourceTable(Guid resourceGuid)
at Altiris.Resource.ResourceDataTableCollection.get_Item(Guid dataTableGuid)
at MSoft.LocalSecurity.LocalSecurityPassword.LogDisclosure(LocalSecurityPassword lup, String strRemoteAddress) )
This error "Unable to discover your essential user data for logging purposes.” applies to the following situations:
1. The user attempting an operation currently does not exist in the NS as a user resource (via the User.Domain resource key
2. The user does not have rights to create a user resource and ....
3. The user does not have read/write access on the GlobalWindowsUser dataclass
Item 3 was the problem.
Item 3 was the problem.
Typically with LSS, when provisioning, domain users and groups get created dynamically as they are encountered in group memberships on local computers.
1. Read/write access on the GlobalWindowsUser dataclass
2. Have rights for the Item Action (Show Managed Password)
3.Read/Write Resource Data to : User Account Password Disclosure 4. Read Resource Data access to: User Account Password, User Account Password Change, User Account Password Change Request (based on what is required)
Notification Server 6.0.6074 R3
Local Security Solution 6.1