Corporate Password Management

[wick2o]

I'm currently looking for a password manager that allows me to set permissions to password "groups". The goal is to allow some underlings to see some users passwords and not others.

Anyone have any suggestions besides writing my own using mysql+php?

[VaKo]

It would help if you provided a rundown of your systems.

[Sparda]

It would help if you provided a rundown of your systems.

No one except those that do user account management should have access to such information. Even then, they should only have access to the original password that was set by the user management people.

[h3%5kr3w]

I think I get what he's saying. Let his IT gnomes work with low-level (i.e. entry job oriented) passwords so if the dumbass at the front desk forget's her pw for the 100000th time, then they can deal with it. This I think is actually kind of common, but I dunno... Seems like this could just be set as is. What server U running?

[tr0n]

I'm currently looking for a password manager that allows me to set permissions to password "groups".

Try KeePass. Keeps a database you can share and encrypt.

http://keepass.info/

[wick2o]

I think I get what he's saying. Let his IT gnomes work with low-level (i.e. entry job oriented) passwords so if the dumbass at the front desk forget's her pw for the 100000th time, then they can deal with it. This I think is actually kind of common, but I dunno... Seems like this could just be set as is. What server U running?

You almost hit the nail on the head, this is half the problem. The other half of the problem is that I have access to everyones misc passwords. payroll,home bank accounts, cc#'s, you name it and I have access to it. I currently use a combo of keypass and an encrypted datafile with the keypass file inside of it. I would love to find something where i could create folders for each person, under each person have another set of folders, one private and one public. I would then need the ability to lock users out of all private folders and allow them to read all public folders.

I have found one package that allows me to do this: www.animabilis.com however I then still have to manage all of the passwords. This software does not allow more then one person into it at a time, well it does, but only read only.

I want my lackies to update the users public passwords and information when they get information, allowing me to only worry about private accounts. This is also in lew of the owners wanting a MASTER password with access to all incase I and my whole IT team are hit by a bus.

[Sparda]

The other half of the problem is that I have access to everyones misc passwords. payroll,home bank accounts, cc#'s, you name it and I have access to it.

What are you? Sysadmin, accountant and back manager for all your employees? You really shouldn't have access to all that information if for no other reason than the danger it puts your self in.

[wick2o]

What are you? Sysadmin, accountant and back manager for all your employees? You really shouldn't have access to all that information if for no other reason than the danger it puts your self in.

Yes, Yes , and Yes. I am also in charge of everyones company cell phones, our security system, our a/v equipment, our websites, their families websitse, our clients IT departments when they cant solve a problem for the clients themselves. I'm a jack of all trades, master of none. o did I mention I'm also an engineer for some projects? Just the other day I was a mechanic for a CNC machine

Last I checked, you couldnt use keypass to give users different rights to the same database file, perhaps I am wrong, I'll take another look.

[tr0n]

Last I checked, you couldnt use keypass to give users different rights to the same database file, perhaps I am wrong, I'll take another look.

You can create user specific databases that are safely encrypted that the user can modify at their whim if they need to change a password. Then just share those out using NTFS and setup each user to point to their own datafile. You could also have a master public database that is shared read only that all could use for community logins. The problem is getting the keypass to load two databases at once. Though you could use a script or batch that they could launch to switch between the two... I'm sure there is a more fitting way to do it.

I'll ask a friend of mine how he setup his office. I recommended KeyPass to him and he really took to it. He built a public master db for everyone and I believe he even has user specific stuff only they can access. He even went as far as writing batch files and linking them into it to load saved RDC & PC Anywhere connections for remote support to auto-login using KP. Maybe he will have an answer for you?

[Sparda]

Yes, Yes , and Yes. I am also in charge of everyones company cell phones, our security system, our a/v equipment, our websites, their families websitse, our clients IT departments when they cant solve a problem for the clients themselves. I'm a jack of all trades, master of none. o did I mention I'm also an engineer for some projects? Just the other day I was a mechanic for a CNC machine

Last I checked, you couldnt use keypass to give users different rights to the same database file, perhaps I am wrong, I'll take another look.

If any thing goes wrong with that information (data breach and the like), you probably will be the company scape goat who will go to jail.

[wick2o]

If any thing goes wrong with that information (data breach and the like), you probably will be the company scape goat who will go to jail.

This is a non-issue. I have been in this boat before, i agree it can get rocky at times. But as long as you CYA there is nothing to worry about. When and if you ever get put in a position such as this, id suggest you retain a lawyer.

[h3%5kr3w]

wow... the IT bitch. All I gotta say man, is either I HOPE TO HELL that the company is just starting up and your trying to get things worked out, or I hope the pay is worth it... Cause thats one hell of alot of work for one IT ninja. And I know how some companies can be when they are cheap. It can be like this with almost any job type. Are you a 'yes' man? If so, it's your fault ya kno~.

[wick2o]

wow... the IT bitch. All I gotta say man, is either I HOPE TO HELL that the company is just starting up and your trying to get things worked out, or I hope the pay is worth it... Cause thats one hell of alot of work for one IT ninja. And I know how some companies can be when they are cheap. It can be like this with almost any job type. Are you a 'yes' man? If so, it's your fault ya kno~.

I wouldn't mind sharing what I do for a living, however a public forum is not the correct place to do so. I also don't feel like reading a bunch of "ya right, sure you do" posts either. I have a very odd job in a very odd market where I get to do a lot of very cool things for a lot of very cool people.

[tr0n]

Yeah, I was wrong. My friend tells me he didn't do anything of the sort for personal private password management. He did send me some neat scripts and how-to info to get keepass to work with Microsoft VPN's and remote desktop connection saved profiles...

[wick2o]

Yeah, I was wrong. My friend tells me he didn't do anything of the sort for personal private password management. He did send me some neat scripts and how-to info to get keepass to work with Microsoft VPN's and remote desktop connection saved profiles...

I'd love to see em if you would pass them on, or rapidshare them.

[lopez1364]

First of all. Why would you use a program like keepass. <--In a corporate business environment? If you are using "groups" like Active Directory you should just set GPOs. There is an option in Active Directory to reverse encrypt passwords for certain users that will allow you to view the passwords clear as day. There is no way to have passwords secured fully especially on some DB. Anything can be found. You should set it on some server and put that server behind multiple securities (i.e. firewalls) and then set desired permissions and then set hidden files that only specific individuals can view. I don't know what kind of environment you have but if its a corporate environment you should have a proper infrastructure.

[wick2o]

First of all. Why would you use a program like keepass. <--In a corporate business environment? If you are using "groups" like Active Directory you should just set GPOs. There is an option in Active Directory to reverse encrypt passwords for certain users that will allow you to view the passwords clear as day. There is no way to have passwords secured fully especially on some DB. Anything can be found. You should set it on some server and put that server behind multiple securities (i.e. firewalls) and then set desired permissions and then set hidden files that only specific individuals can view. I don't know what kind of environment you have but if its a corporate environment you should have a proper infrastructure.

Man you guys really missed the boat. Not everyone only has to worry about AD passwords. I regret posting such a question to a forum like this. I was expecting some intelligent responses to what I thought was a simple problem.

Tron, I would like to continue this conversation privately if you could share what your friend has come up with. To everyone else who only has to wear one hat, and only works the hours of 9 to 5. Please just skip over this thread.

To all those who have tried to understand my question and post a valid response and not a "flame", I thank you for your time.

If i had the ability to delete this thread then I would.