TechIDManager windows agent, named DomainService, can do several things. It can be setup as a PAM agent and make unique accounts for each Tech. It can be setup as a LAPS agent and take over a single account to share among a group of techs. It can be setup to do both and multiple at the same time for a single or for multiple MSPs.
The way the DomainService does this is with different configuration sections called instances. Each instance is a separate setup for the DomainService. They can each be totally independent.
Your friend when setting up instances in the DomainService is:
DomainService.exe show
This will list all the configured instances and their setups. The output will look something like the following. Don’t worry, read below for the explanation, and don’t worry if your output has more informational stuff in it, this is a condensed output.
Current options:
Options for default DomainService
(ClientGuid, cd3dd621-8574-4247-a621-237b66fb904d)
(FriendlyName, testing)
(RmmName, This is the default RMMName)
(RunAfterMiss, 1)
(UserName, {first}.{last}.{company})
End Instance options
Options for DomainService Instance: PAMCast
(DoNotRun, 1)
(OU, MIT.Admins)
(UserName, {user}.PAMCast.{company})
End Instance options
Options for SharedUser: Administrator
(ClientGuid, cd3dd621-8574-4247-a621-237b66fb904d)
(ExistanceConfirmed, Yes)
(LocalAccounts, 1)
(RmmName, local admin account)
(RunAfterMiss, 1)
(UserName, Administrator)
End SharedUser options
Options for SharedUser: ASRunner
(AutoLogon, 1)
(ClientGuid, cd3dd621-8574-4247-a621-237b66fb904d)
(ExistanceConfirmed, Yes)
(LocalAccounts, 1)
(RmmName, service account)
(RunAfterMiss, 1)
(ServiceName, ruffianloggingservice)
(UserName, ASRunner)
End SharedUser options
Each of these sections is a separate thing that the DomainService is doing. There are 4 instances in this example; “default”, PAMCast, Administrator, and ASRunner. The default instance is always a PAM instance making accounts for each tech. This default instance has the friendlyname of “testing” and makes users with names like {first}.{last}.{company}. There is another PAM instance named “PAMCast” that if it were set to run, it is not because of the “DoNotRun”, would be making different unique users for techs (possibly a completely different set of techs with different rights) with usernames like {user}.PAMCast.{company}. After that we see a LAPS (shareduser) instance for the “Administrator” account on this machine. It has the RmmName of “local admin account”. The last section is for a service account, that is also an autologon account, named “ASRunner”.
Each instance is configured from the command line by specifying the instance that all the following command lines apply to. For example the following line would configure the LAPS (shareduser) instance named “Administator” should “RunAfterMiss”. All the command lines are detailed in the DomainService command line help (so we won’t detail them here).
DomainService.exe shareduser Administrator RunAfterMiss
Any command line without and “instance” or “shareuser” specified applies to the “default” instance.
This should all be clear as mud now, right?
If not, here are a few examples to help clear it up.
To convert a PAM instance to a LAPS instance that controls a local account named “Administrator”, will require stopping the default instance from running, and configuring a shareduser instance for the “Administrator” by setting your ClientGuid and telling the DomainService the Administrator account is a local account. Note how the commandline for “DoNotRun” does not specify an instance and thus applies to the default instance.
DomainService.exe donotrun
DomainService.exe shareduser Administrator clientguid XXXYYYZZZ
DomainService.exe shareduser Administrator local
Note: This will not remove the agent information about the default instance from the Management Console. The agent will stop checking in, and will be hidden from the Management Console in about 30 days. This will also NOT remove or disable the accounts associated with the agent, because we at TechIDManager choose not to be mean and remove, or break, access when our agent is removed, or turned off.
To add a second PAM instance to run in addition to the default instance to do different stuff, like a second MSP working with a different clientguid on the same DC. Add a PAM instance to the DomainService with the second MSP’s clientguid.
DomainService.exe instance NewMSP clientguid AAABBBCCC
DomainService.exe instance NewMSP username "{user}.{company}"
DomainService.exe instance NewMSP FriendlyName "John's Dentistry"
This will cause a new agent to show up in the Management Console called {machinename}\NewMSP for the Management Console with the AAABBBCCC clientguid. This Management Console can then do whatever group and triplet setup is desired to grant rights and create accounts.
As always, we are here to help. If you have any questions or want help setting any of this up then https://techidmanager.com/support has all the ways to contact us and a link to setup a support meeting.
