Instances In DomainService

TechIDManager has an agent that can be configured to do a myriad of things. The agent can make PAM accounts and LAPS accounts. Both of these accounts also have the option of being a managed account or a JIT (Just In Time) account. All of this is configured inside the agent called the DomainService. (See more at https://ruffiansoftware.com/setup-of-techidentitymanager-for-domainservice/ )

PAM accounts are unique accounts for each technician. Functions covered with PAM accounts include

  • account creation
  • rights setting
  • account management
  • password rotation

LAPS accounts are taking a single account and sharing it with several technicians. Function covered with LAPS accounts include

  • account management
  • password rotation

Managed accounts are always available accounts, even offline. 

JIT (Just In Time) accounts are enabled only for the time frame in which technicians need it, and only available when the machine is online.

An Instance in TechIDManager is the configuration segment that defines what it does and how it does it. In the Management Console under Agents, you will see that it is possible to have more than one agent on the same machine. You can see in the example below that two differently configured instances of the agent are run on the same machine at the same time but they are doing different things because they have different configuration segments.

While logged in to a machine, through the command prompt, you can see how these instances are configured. In the command prompt, change directory to domainservice.exe and then give the command “show”. When you have more than once instance on that machine, you will see multiple listed. You will see the instance(s) and configuration options that each instance of TechIDManager is installed with.

When setting options to instances, first determine if it is a shared instance or a PAM instance. These might say Domain, or LocalMachine depending on what types of system the agent is running on.

For example: to change the second (shared) instance to JIT; into the prompt, you would type in “domainservice.exe shareduser MSP.admin justintime ” and hit enter.
*MSP.admin would be your user name for account you are setting options for.
*justintime is an example of one of the options you could ask it to set.

If you call for it to “show” again (domainservice.exe show,) you will see the account is now set to just in time. You can set any of the parameters that apply to any of the instances, by using the appropriate command line. See a list of options here https://ruffiansoftware.com/setup-of-techidentitymanager-for-domainservice/

These instances allow you to have PAM the way the suites your needs and your client’s needs the best. Some examples are:

  • multiple PAM or LAPS instances on the same domain
  • multiple MSPs having TechIDManager agents installed on the same DC or client machine and each having their own accounts, managed separately.
  • co-managed where the co-managed accounts can be different than the MSP technician accounts.
  • multiple accounts per person

Here is a video saying, and showing all this same stuff.