User Guide

Day to day retrieval of passwords and Remote Terminal are all End User functions and performed through the ForestSafe Web application, which is documented in the ForestSafe End User Guide.

But all retrievals have to be configured through the ForestSafe Express Control Panel first.

In this tutorial, George Busan is the only member of a pre-existing Active Directory group. We will promote his group to become a ForestSafe Logon. We will also give him elevated Remote Terminal access to a subset of Windows Domain computers using a ForestSafe Access Container (FAC). as we will be removing his access from Domain Administrator group. He no longer needs it.

We will also give him Remote Access as root account onto all UNIX Servers.

Let us get started:

1.       Run the ForestSafe Control Panel

2.       On the Security tab or General tab, click the [User Administration] button

3.       Let us locate George Busan, in the Windows Support group and select his row.

 

4.       Click [Promote] so members of this group (just him) can access the system.

5.       The Control Panel list will refresh showing that ForestSafe Users logon is allowed, and ForestSafe functions may now be configured.

Click [Privileged Accounts]

6.       Give him elevated Remote Control Windows domain access. Check [Remote Terminal] and [Elevated Session]

7.       Give him remote access to UNIX Servers using the root* account. Select [UNIX] from the Platforms list drop it down and select it.

*If you are evaluating the product we suggest you do not scramble all your root accounts immediately. Use an existing user as shown here.

 

8.       Let us rename his group to General Support, as he is also now supporting UNIX!

Click Rename, rename to General Support

9.       Now let restrict his access to UNIX Servers and a few Windows Domain computers

10.   Click Access Control Container and click Add Host Container and give George access to only domain computers that are member of his General Support group, then Click OK.

11.   Click Add Host Container again. This time enter General Support, Select HOSTNAME and enter a pattern match for host names beginning with debian*. And Save

12.   Return to the End User Tab

13.   Next we will populate the General Support group with the Domain Computers. Click the OU field to help locate them, select multiple computers and Click the Join button.

Here is the result: George and his Domain machines.

 

14.   And finally lets wire together the new FAC into the General Group.

Click Privileged accounts, drop down General Support from the FAC list and select it. Click Save.

 

So far you have renamed an existing group, promoted it to be a ForestSafe User, and given that group privileged account access.

 

Next we will do a sanity check that we have configured General Support correctly.

15.   Remember we are installing as user domain administrator to test the new General Support group, join this user temporarily as shown here.

16.   Then to test it click the Control Panel, and select the General tab, and click the http://forestsafeexpress link.

17.   The ForestSafe Web application will load. At the middle of the top of the Web page, there is a selection box, select General Support.

18.   Then click RA Terminal

19.   Confirm all the access control list of computers is all correct. You will see Domain\Administrator as Account name for windows. When George logs in he will see Domain\george.busan. This is because Privileged Access is configured.

20.   Remember to unjoin administrator from the General Support group once your sanity check is complete.

21.   And finally you can send George an email.