Host Queries for Mass Script Execution

Host Queries to Configure and Execute Tasks across many Endpoints.

 

Say you are looking to executing a task like Local Admin Group Cleanup or Windows Service Password Reset across a series of computers.

What is the best way to configure this scenario in PAM?

 

One method would be to create a record for each endpoint with its specific host, port, username and password, then apply the task to this record and setup your automated policy.

A couple of steps are required, but certainly not terribly difficult to implement unless you have thousands or hundreds of thousands of assets to manage.

 

With that many endpoints, now you are looking into Import options. I could create a CSV file that lists all the endpoints or import them from my current session management solution like Remote Desktop Manager or mRemote.

This would decrease the amount of implementation time needed to populate PAM and get you up and running more easily, but now you have hundreds or thousands of records in PAM that are not needed outside of task execution policies.

 

What if there was an easier way?

What if you could execute your task like Local Admin Group Cleanup script against all your endpoints using a single PAM record?

You create a single record, you share a single record, you review and monitor a single record, but in reality that single record is executing your task against hundreds or thousands of your managed endpoints.

If this sounds promising, then let’s talk about PAM’s Host Query records.

A traditional endpoint record in PAM defines a specific host that is used to connect to the asset. In our host query record, you define all your hosts to be inputting a query to find your host rather than a host name, for instance an Active Directory query to locate your web servers.

PAM will execute your query and for every endpoint that is returned, it will queue, execute and report your configured task(s).

Managing tasks for many like endpoints just got a lot easier.

 

Using PAM Host Query Records

  1. Login to PAM and create a new record using the type AD Query. If you do not see this type in the dropdown, navigate to Administration > Record Types, locate this AD Query type, click Edit, uncheck the Hidden option and finally click Save.
  2. Enter a Name (required) and Description (optional) for your new record.
  3. For the User and Password field, enter credentials that are will be valid for all your potential endpoints. Consider using a Domain Administrator account to avoid connection issues.
  4. Finally, in the AD Query field, enter an Active Directory query that will return a list of computer hosts that you want to execute tasks against.
  5.  

    Here is an AD Query example to return every computer in Active Directory that contains DEV: (&(objectclass=computer)(objectcategory=computer)(cn=DEV*))

    FAQ-Host-Query-Saved-Record

  6. Click the Save and Return button when finished.

  7. With the record saved, you can now apply your task(s).
  8. Click the Execute dropdown and then select your task from the list to execute. If you want to test the query first, select the preconfigured task Query Sample Data. This task will display a list of hosts returned from the query without executing any scripts against them. If you do not want to test the query, proceed to the next step.
  9. FAQ-Host-Query-Sample-Data

  10. When executing your task like Windows Local Administrator Group Cleanup, select it from the dropdown list and then you will be presented with a new dialog. In this new dialog, enter a value into the Query Sample Data Size field. This is how you determine how many endpoints to execute against. If you only want to test a subset, then enter a value like 5 which will mean only the first five returned query results will be used or enter the value -1 or All to execute the task against all query results.

  11. Note: When tasks are executed automatically, the AD Query will return and ultimately process all of the results. This Query Sample Data Size parameter is only available for On-Demand policy execution.

    FAQ-Host-Query-Query-Data-Size
  12. Once the task is executed, it will first generate a list of all endpoints and add them as queued jobs. You will see all these jobs listed in Job History with a status of Ready.

    FAQ-Host-Query-Job-History-Ready

  13. As the jobs execute, their status will update and you can review their results in the Job History or Job Summary reports.

Over time, as your query returns new host results, the record will dynamically load each of these new hosts which will ensure this host query record adapts to your changing environment.