Our website requires Javascript. Please enable JavaScript to enjoy our full website experience. Here are instructions on how to enable js in your browser.

You are using an ad blocker that is interfering with our web typography and internal javascript. Please whitelist our domain to live in a more beautiful world. No ads here, just really great software!

Nexthink CEO Pedro Bados appears on CNBC View Coverage

Nexthink Library

User Login Management

Troubleshoot common login issues and ensure compliance by providing information about failed logins on devices and running campaigns warning about near password expiration.

Content

Campaigns - 2

Remote actions - 3

Required Modules

Nexthink Act

Nexthink Engage

Platforms

Windows

Compatibility

V6.14 and later

2.0.0.0 - 13 Nov 2019 - Added "Remove Credentials From Credential Manager" Remote Action
1.0.1.0 - Bugfix of Invoke Proactive Password Reset Remote Action
1.0.0.0 - Initial release

Description

This Library pack is a collection of different Remote Action scripts which help troubleshooting common login issues and ensure compliance.Please use the links on the left menu to learn more about the function and range of action of each script.

Invoke Proactive Password Reset

2.1.0.0 - 13 Nov 2019 - Fixed bug with password expiration date calculation and code refactor
2.0.0.0 - Fixed errors with some domain users and code refactor
1.0.0.0 - Initial release

Script Description

Checks password expiration date and if it is within the time frame provided by the input parameter, runs a campaign to warn the user (providing link to reset the password).

Execution context and suggested scheduling

Run the script as 'interactive user'. The script should be executed every 1 week.

A timeout of 720 seconds is recommended.

Parameters

Label	Description
Campaign Id	UID of the campaign to notify the user that the password is about to expire and to provide the URL to reset it
Days Until Expiration	Number of days left for the password to expire. If expiration date is inside this time frame, the campaign is run
Maximum Delay In Seconds	Maximum random delay set to avoid domain controller overload. Provide number of seconds less than 600

Outputs

None.

Restrictions

If Domain Controller and devices are not fully synchronized, information about password expiration date on the devices could not be precise. Please make sure to take this into consideration when running the Remote Action

Further Information

Please make sure to modify the sample URL included in the campaign with the desired one.

Test Scenarios

PasswordIsValid
Test Case	Account password is within time range
Environment	Windows 7x32/x64 multiple languages, Windows 10x64 (1809, 1903)
Results	Password verified and no action taken.

PasswordExpiresSoon
Test Case	Account password is about to expire
Environment	Windows 7x32/x64 multiple languages, Windows 10x64 (1809, 1903)
Results	Campaign is displayed.

Get Failed Logins

1.0.0.0 - 13 Nov 2019 - Initial release

Script Description

Obtains information about all failed login attempts. The script can be successfully executed only on devices with 'Audit Logon Events' policy enabled and Windows 10 or Windows 7 installed.

Execution context and suggested scheduling

Run the script as 'local system'. The script should be executed manually.

A timeout of 720 seconds is recommended.

Parameters

Label	Description
Maximum Delay In Seconds	Maximum random delay set to avoid overloading server hosting virtual machines. Provide number of seconds less than 600

Outputs

Label	Type	Description
Failed Logins	StringList	Information about failed login attempts (user name, event time, logon failure status code, logon type code)
Failed Logins Count	Int	Number of failed login attempts. It always shows full number of failed logins even when number of displayed events in 'FailedLogins' output parameter has been truncated due to limited output capacity

Restrictions

The script can be successfully executed only on devices with 'Audit Logon Events' policy enabled.
Due to limited capacity of 'FailedLogins' output field, detailed information about failed loggings attempts can be truncated.

Further Information

Parameter 'MaximumDelayInSeconds' can be used to add random script execution delay. It should be used on servers hosting virtual machines to spread the number of I/O requests over time.
Microsoft website provides information about logon failure status codes and logon type codes.

Remove Credentials From Credential Manager

1.0.0.0 - 13 Nov 2019 - Initial release

Script Description

Removes stored user credentials from Windows Credential Manager, to assist with the problem of locking account. After completing action presents internal password reset webpage using default browser. Uses campaign to inform user about the removal, can be configured to skip campaign notification.

Execution context and suggested scheduling

Run the script as 'interactive user'. The script should be executed manually.

A timeout of 120 seconds is recommended.

Parameters

Label	Description
Password Reset Webpage	Intranet webpage to be displayed for user to reset password. Absolute path to target page should be provided, for example http(s)://resetpage.myintranet.com
Campaign Id	UID of informative campaign about clearing stored user credentials. Provide empty guid to skip display of the campaign

Outputs

None.

Test Scenarios

CampaignDisplayed
Test Case	UID of target campaign provided
Environment	VM Windows 7 x64 (Multi-language) - VM Windows 10 x86/x64 (Multi-language) (1803/1809/1903)
Results	Success - Before execution, informative campaign was displayed. Remote Action completed without user action.

Windows10CredentialManagerEmptied
Test Case	Empty guid provided
Environment	VM Windows 10 x86/x64 (Multi-language) (1803/1809/1903)
Results	Success - Web Credentials and Windows Credentials for current user was emptied.

Windows7WindowsCredentialsEmptied
Test Case	Empty guid provided
Environment	VM Windows 7 x64 (Multi-language)
Results	Success - Windows Credentials for current user was emptied