27. Command Line Configuration Tool

C:\Program Files (x86)\OVERLAPS\olconfig.exe

The command-line configuration tool can be used to perform a number of tasks such as adding/removing users and managing HTTPS certifications.

27.1 Modules

There are 4 main sections (or modules) of the olconfig tool:

  1. User
  2. SelfService
  3. Https
  4. Security

27.1.1 User

Used to:

  • List Existing Explicit OVERLAPS Users
  • Add Users
  • Remove Users
  • Disable Two-Factor Authentication on a user's account
  • Set whether a user is an Administrator or not (has the "Edit Settings" option)
  • Import users from a text or CSV file

27.1.1.1 Command Line Arguments

olconfig.exe user /list

List all OVERLAPS users and groups.

olconfig.exe user [<domain>\]<username> /add

Add a user from Active Directory.

Example:

olconfig.exe user contoso\exampleuser /add
olconfig.exe user [<domain>\]<username> /add /admin

Add an Administrator user from Active Directory.

olconfig.exe user [<domain>\]<username> /remove

Remove a user or group.

olconfig.exe user [<domain>\]<username> /admin

Make an existing user an Administrator.

olconfig.exe user [<domain>\]<username> /noadmin

Remove an existing user's Administrator rights.

olconfig.exe user [<domain>\]<username> /disabletwofactor

Disable two factor authentication on a user account.

olconfig.exe user /import <C:\\path\\to\\list.txt>

Import a list of users or groups from a text file. The file should only include one user per line, with or without domain information. This can be combined with the "/admin" option to make all of the users administrators (though this is not recommended).

olconfig.exe user /importcsv <C:\\path\\to\\list.csv>

Import a list of users or groups from a csv file.

Each line in the CSV file should be in the format: "DistiguishedName","GUID",IsGroup (0/1, where 1 indicates the user is a group).

Example:

"CN=username1,OU=users,DC=domain,DC=name","1234-56789-012345-6780",0
"CN=username2,OU=users,DC=domain,DC=name","1234-56789-012345-6781",0
"CN=username3,OU=users,DC=domain,DC=name","1234-56789-012345-6782",0
"CN=username4,OU=users,DC=domain,DC=name","1234-56789-012345-6783",0
"CN=group1,OU=groups,DC=domain,DC=name","1234-56789-012345-6784",1
Note that the purpose of this import method (as compared to the text file import method) is that none of the data is validated, the user records are just inserted directly into the database. This can be significantly quicker for large import processes when you are certain that the information you have is correct, but should be used with caution.

27.1.2 Self Service

Used to:

  • Add a Self Service Computer to an Existing User
  • Remove a Self Service Computer from a User
  • Clear all Self Service Computers from a User
  • Import Multiple Self Service Computers to Existing Users

27.1.2.1 Command Line Arguments

olconfig.exe selfservice /add /user [<domain>/]<username> /computer <computer DN>

Add a Self Service computer to an existing user.

Parameter Name Description
/user [<domain>]<username> The (optional) domain and username of the Self-Service user.
The user must already exist in OVERLAPS.
/computer <computer DN> The distinguished name of an AD computer.
Must be enclosed in quotes if there are any spaces.
Can be specified more than once to add multiple computers.
/reqauth The user needs to submit an Authorisation Request to access the
passwords (not compatible with reqjust).
/reqjust The user needs to supply a Justification before accessing the
passwords (not compatible with reqauth).

Example:

olconfig selfservice /user contoso\exampleuser /computer "CN=ComputerA,OU=Computers,DC=contoso,DC=com" /reqjust
olconfig.exe selfservice /remove /user [<domain>/]username> /computer <computer DN>

Remove a Self Service computer from a user.

Parameter Name Description
/user [<domain>]<username> The (optional) domain and username of the Self-Service user. The user
must already exist in OVERLAPS.
/computer <computer DN> The distinguished name of an AD computer.
Must be enclosed in quotes if there are any spaces.
Can be specified more than once to remove multiple computers.
olconfig.exe selfservice /clear /user [<domain>/]<username>

Remove all Self Service computers from a user.

Parameter Name Description
/user [<domain>]<username> The (optional) domain and username of the Self-Service user. The
user must already exist in OVERLAPS.
olconfig.exe selfservice /importcsv <C:\path\to\list.csv>

Imports a list of Self Service computers from a CSV file.

The CSV file should be formatted as UTF-8 and one row for each user/computer entry with the following columns:

"UserDistinguishedName","ComputerDistinguishedName","ComputerGuid",RequiresAuthorisation (0/1),RequiresJustification (0/1)

For example:

"CN=User1,OU=Users,DC=contoso,DC=com","CN=ComputerA,OU=Computers,DC=contoso,DC=com","00000000-0000-0000-0000-000000000000",0,1
"CN=User1,OU=Users,DC=contoso,DC=com","CN=ComputerB,OU=Computers,DC=contoso,DC=com","00000000-0000-0000-0000-000000000000",1,0
"CN=User1,OU=Users,DC=contoso,DC=com","CN=ComputerC,OU=Computers,DC=contoso,DC=com","00000000-0000-0000-0000-000000000000",0,1

The import process assumes that the user already exists in OVERLAPS and will fail if they are not. To add a new user first, refer the above "user" module.

27.1.3 HTTPS

Used to: * Enable or disable HTTPS * Install a new certificate for HTTPS and create bindings so they will be used by OVERLAPS * Remove existing HTTPS certificate bindings

olconfig.exe https /enable [/restart]

Enable HTTPS in OVERLAPS and optionally restart the service.

Parameter Name Description
/restart Restart the OVERLAPS service on success.
olconfig.exe https /disable [/restart]

Disable HTTPS in OVERLAPS and optionally restart the service.

Parameter Name Description
/restart Restart the OVERLAPS service on success.
olconfig.exe https /certfile [/password ] [/store ] [/hostname ] [/ipaddress ] [/port ] [/restart]

Install using a Certificate File (*.pfx) with the certificate password (if required).

Parameter Name Description
/certfile <filename> The certificate's private key file (*.pfx)
/password <password> The password needed to read the private key file
/store <My|Root> Whether the certificate is stored in the Personal store (My - used for
self-signed certificates), or the Trusted Root Authorities (Root) store.
/hostname <host> Specify the URL or semicolon list of hostnames to bind to.
/ipaddress <ip> Specify the IP address to bind to.
/port <port> The SSL/TLS port (defaults to 443)
/restart Restart the OVERLAPS service on success.

Examples:

olconfig.exe https /certfile "C:\certificates\third-party-private-key.pfx" /password C3rtificateP4ss /restart
Installs the \"third-party-private-key.pfx\" certificate and binds it to the local IP of the server, then restarts OVERLAPS.

olconfig.exe https /certfile "C:\certificates\third-party-private-key.pfx" /password C3rtificateP4ss /store Root /hostname overlaps.contoso.com /ipaddress 192.168.0.4 /restart
Installs the \"third-party-private-key.pfx\" certificate and binds it to a specific hostname and IP address.

olconfig.exe https /certfile "C:\certificates\self-signed-private-key.pfx" /password C3rtificateP4ss /store My /hostname overlaps.contoso.com /ipaddress 192.168.0.4 /port 8443 /restart
Installs the \"self-signed-private-key.pfx\" certificate and binds it to a specific hostname, IP address and port.

olconfig.exe https /certfile "C:\certificates\self-signed-private-key.pfx" /password C3rtificateP4ss /hostname overlaps.contoso.com;*.contoso.com /port 8443
Installs the \"self-signed-private-key.pfx\" wildcard certificate and binds it to both the specific hostname and the wildcard.
Note that if you don't provide the "/store" parameter, olconfig will attempt to determine the nature of the certificate and therefore the certificate store automatically.
olconfig.exe https /thumbprint /store [/hostname ] [/ipaddress ] [/port ] [/restart]

Install using an already installed Certificate (in the Local Computer/Personal Store or Trusted Root Authorities).

Parameter Name Description
/thumbprint <certid> The certificate's "thumbprint".
/store <My|Root> Which store the certificate can be found in.
/hostname <host> Specify the URL or semicolon list of hostnames to bind to.
/ipaddress <ip> Specify the IP address to bind to.
/port <port> The SSL/TLS port (defaults to 443)
/restart Restart the OVERLAPS service on success.

Examples:

olconfig.exe https /thumbprint c6b10ffec9f6a5051a78cc86132f4eddd83cafc3 /password C3rtificateP4ss /store Root /hostname overlaps.contoso.com /ipaddress 192.168.0.4 /restart
olconfig.exe https /thumbprint c6b10ffec9f6a5051a78cc86132f4eddd83cafc4 /password C3rtificateP4ss /store My /hostname overlaps.contoso.com /ipaddress 192.168.0.4 /port 8443 /restart
olconfig.exe https /disableclientcertcheck

Disable Client Certificate checks on existing certificate bindings (to stop browsers prompting users for a certificate, requires a server restart).

olconfig.exe https /unbind [/ipaddress ] [/hostname ] [/port ] [/restart]

Unbind an existing certificate binding.

Parameter Name Description
/hostname <host> Specify the URL or semicolon list of hostnames to unbind from.
/ipaddress <ip> Specify the IP address to unbind from.
/port <port> The SSL/TLS port (defaults to 443)
/restart Restart the OVERLAPS service on success.

Examples:

olconfig.exe https /unbind /ipaddress 192.168.12.12 /port 8443
Unbinds the certificate from a specific IP address and port.

olconfig.exe https /unbind /hostname overlaps.contoso.com
Unbinds the certificate from a specific hostname using the default port (443).

27.1.4 Security

olconfig.exe security [/krbstatus] [/enablekrb ] [/disablekrb ]

Used to:

  • Get the systems current Kerberos SPN configuration.
  • Enable or disable Kerberos by registering or unregistering SPNs.
Parameter Name Description
/krbstatus Show the current Kerberos SPN status
/enablekrb <http|https|both> Enable Kerberos encryption on Windows Authentication
/disablekrb <http|https|both> Disable Kerberos encryption for Windows Authentication

Optional Parameters:

Parameter Name Description
/url <hostname/address> The hostname or address of the server (defaults to the hostname)
/account <account> The service account OVERLAPS runs as (defaults to LOCAL SYSTEM)