TechIDManager windows agent, named TechIDAgent, can do several things. It can be setup as a PAM agent and make unique accounts for each Tech. It can be setup as a LAPS agent and take over a single account to share among a group of techs. It can be setup to do both and multiple at the same time for a single or for multiple MSPs.
The way the TechIDAgent does this is with different configuration sections called instances. Each instance is a separate setup for the TechIDAgent. They can each be totally independent.
Your friend when setting up instances in the TechIDAgent is:
TechIDAgent.exe show
This will list all the configured instances and their setups. The output will look something like the following. Don’t worry, read below for the explanation, and don’t worry if your output has more informational stuff in it, this is a condensed output.
Current options:
Options for default TechIDAgent
(ClientGuid, cd3dd621-8574-4247-a621-237b66fb904d)
(FriendlyName, testing)
(RmmName, This is the default RMMName)
(RunAfterMiss, 1)
(UserName, {first}.{last}.{company})
End Instance options
Options for TechIDAgent Instance: PAMCast
(DoNotRun, 1)
(OU, MIT.Admins)
(UserName, {user}.PAMCast.{company})
End Instance options
Options for SharedUser: Administrator
(ClientGuid, cd3dd621-8574-4247-a621-237b66fb904d)
(ExistanceConfirmed, Yes)
(LocalAccounts, 1)
(RmmName, local admin account)
(RunAfterMiss, 1)
(UserName, Administrator)
End SharedUser options
Options for SharedUser: ASRunner
(AutoLogon, 1)
(ClientGuid, cd3dd621-8574-4247-a621-237b66fb904d)
(ExistanceConfirmed, Yes)
(LocalAccounts, 1)
(RmmName, service account)
(RunAfterMiss, 1)
(ServiceName, ruffianloggingservice)
(UserName, ASRunner)
End SharedUser options
Each of these sections is a separate thing that the TechIDAgent is doing. There are four instances in this example; “default”, PAMCast, Administrator, and ASRunner. The default instance is always a PAM instance making accounts for each tech. This default instance has the friendlyname of “testing” and makes users with names like {first}.{last}.{company}. There is another PAM instance named “PAMCast” that if it were set to run, it is not because of the “DoNotRun”, would be making different unique users for techs (possibly a completely different set of techs with different rights) with usernames like {user}.PAMCast.{company}. After that we see a LAPS (shareduser) instance for the “Administrator” account on this machine. It has the RmmName of “local admin account”. The last section is for a service account, that is also an autologon account, named “ASRunner”.
Each instance is configured from the command line by specifying the instance that all the following command lines apply to. For example the following line would configure the LAPS (shareduser) instance named “Administrator” should “RunAfterMiss”. All the command lines are detailed in the TechIDAgent command line help (so we won’t detail them here).
TechIDAgent.exe shareduser Administrator RunAfterMiss
Any command line without and “instance” or “shareuser” specified applies to the “default” instance.
This should all be clear as mud now, right?
If not, here are a few examples to help clear it up.
To convert a PAM instance to a LAPS instance that controls a local account named “Administrator”, will require stopping the default instance from running, and configuring a shareduser instance for the “Administrator” by setting your ClientGuid and telling the TechIDAgent the Administrator account is a local account. Note how the commandline for “DoNotRun” does not specify an instance and thus applies to the default instance.
TechIDAgent.exe donotrun
TechIDAgent.exe shareduser Administrator clientguid XXXYYYZZZ
TechIDAgent.exe shareduser Administrator local
Note: This will not remove the agent information about the default instance from the TechIDPortal. The agent will stop checking in, and will be hidden from the TechIDPortal in about 30 days. This will also NOT remove or disable the accounts associated with the agent, because we at TechIDManager choose not to be mean and remove, or break, access when our agent is removed, or turned off.
To add a second PAM instance to run in addition to the default instance to do different stuff, like a second MSP working with a different clientguid on the same DC. Add a PAM instance to the TechIDAgent with the second MSP’s clientguid.
TechIDAgent.exe instance NewMSP clientguid AAABBBCCC
TechIDAgent.exe instance NewMSP username "{user}.{company}"
TechIDAgent.exe instance NewMSP FriendlyName "John's Dentistry"
This will cause a new agent to show up in the TechIDPortal called {machinename}\NewMSP for the TechIDPortal with the AAABBBCCC clientguid. This TechIDPortal can then do whatever group and triplet setup is desired to grant rights and create accounts.
As always, we are here to help. If you have any questions or want help setting any of this up then https://techidmanager.com/support has all the ways to contact us and a link to setup a support meeting.
