ForestSafe has a function called Grant Access. This will create a temorary account with the same password across a range of machines for a fixed period of time now or in the future and then remove it.
Imagine a large organisation with many offices spread out of large geographical area . Support staff maintain the computers in these offices on a Sunday, during which time the network is unavailable. They log into the machine locally with the built in Administrator, the password of which is identical on every machine and is known to them and everyone else.
After ForestSafe is deployed, all these local accounts will be secures. But their Service Level agreement (SLA) states they have to complete their work by 18:00 Sunday but now they have to wrestle with hundreds of different hardened passwords…. ForestSafe Grant Access solves this problem.
Help Desk can, for example, create a temporary Administrator account across the whole branch starting at midnight on Saturday and ending at 18:00 on Sunday with the same password. Grant access works across platforms. UNIX and Windows systems can be allocated the same account name and password. The access can be granted immediately or begin in the future.
Support staff continue to meet their Sunday SLA, using an account with the same password just as before.
Active Directory Group Policy considerations
Companies may have Group Policy in place that maintains a restricted list of local Administrators on its computers. This policy will remove any temporary administrator from the local administrator group after ForestSafe has created it. Group policy must be modified to allow the existence of the Grant Access account. This can be achieved through creating an additional Active directory group e.g. GG_FS_NOCKECK, and setting group policy to exclude members of this group from the allowed Administrators check. Then in the Global Settings, the Group membership of the Grant Access account can be set to Administrator,GG_FS_NOCHECK, and it will not get altered by Active Directory Group Policy
Password self service
The password that is allocated to this temporary user can be shown on the Grant Access Page at configuration time, or it can be hidden and made available through the Password Vault.
In the example scenario, Password Self Service was setup for the support users. So Help Desk can configure on a Wednesday the access needed the following Sunday, but they have no knowledge of the password. Support user can log in and be presented with the Password Vault Page, with the account name set to the Grant Access account. Now only support users know the password, but the account will not exist until the Sunday when they can use it, nor after.
