27. Command Line Configuration Tool
C:\Program Files (x86)\OVERLAPS\olconfig.exe
The command-line configuration tool can be used to perform a number of tasks such as adding/removing users and managing HTTPS certifications.
27.1 Modules
There are 4 main sections (or modules) of the olconfig tool:
27.1.1 User
Used to:
- List Existing Explicit OVERLAPS Users
- Add Users
- Remove Users
- Disable Two-Factor Authentication on a user's account
- Set whether a user is an Administrator or not (has the "Edit Settings" option)
- Import users from a text or CSV file
27.1.1.1 Command Line Arguments
List all OVERLAPS users and groups.
Add a user from Active Directory.
Example:
olconfig.exe user contoso\exampleuser /add
Add an Administrator user from Active Directory.
Remove a user or group.
Make an existing user an Administrator.
Remove an existing user's Administrator rights.
Disable two factor authentication on a user account.
Import a list of users or groups from a text file. The file should only include one user per line, with or without domain information. This can be combined with the "/admin" option to make all of the users administrators (though this is not recommended).
Import a list of users or groups from a csv file.
Each line in the CSV file should be in the format: "DistiguishedName","GUID",IsGroup (0/1, where 1 indicates the user is a group).
Example:
"CN=username1,OU=users,DC=domain,DC=name","1234-56789-012345-6780",0
"CN=username2,OU=users,DC=domain,DC=name","1234-56789-012345-6781",0
"CN=username3,OU=users,DC=domain,DC=name","1234-56789-012345-6782",0
"CN=username4,OU=users,DC=domain,DC=name","1234-56789-012345-6783",0
"CN=group1,OU=groups,DC=domain,DC=name","1234-56789-012345-6784",1
27.1.2 Self Service
Used to:
- Add a Self Service Computer to an Existing User
- Remove a Self Service Computer from a User
- Clear all Self Service Computers from a User
- Import Multiple Self Service Computers to Existing Users
27.1.2.1 Command Line Arguments
Add a Self Service computer to an existing user.
Parameter Name | Description |
---|---|
/user [<domain>]<username> | The (optional) domain and username of the Self-Service user. The user must already exist in OVERLAPS. |
/computer <computer DN> | The distinguished name of an AD computer. Must be enclosed in quotes if there are any spaces. Can be specified more than once to add multiple computers. |
/reqauth | The user needs to submit an Authorisation Request to access the passwords (not compatible with reqjust). |
/reqjust | The user needs to supply a Justification before accessing the passwords (not compatible with reqauth). |
Example:
olconfig selfservice /user contoso\exampleuser /computer "CN=ComputerA,OU=Computers,DC=contoso,DC=com" /reqjust
Remove a Self Service computer from a user.
Parameter Name | Description |
---|---|
/user [<domain>]<username> | The (optional) domain and username of the Self-Service user. The user must already exist in OVERLAPS. |
/computer <computer DN> | The distinguished name of an AD computer. Must be enclosed in quotes if there are any spaces. Can be specified more than once to remove multiple computers. |
Remove all Self Service computers from a user.
Parameter Name | Description |
---|---|
/user [<domain>]<username> | The (optional) domain and username of the Self-Service user. The user must already exist in OVERLAPS. |
Imports a list of Self Service computers from a CSV file.
The CSV file should be formatted as UTF-8 and one row for each user/computer entry with the following columns:
"UserDistinguishedName","ComputerDistinguishedName","ComputerGuid",RequiresAuthorisation (0/1),RequiresJustification (0/1)
For example:
"CN=User1,OU=Users,DC=contoso,DC=com","CN=ComputerA,OU=Computers,DC=contoso,DC=com","00000000-0000-0000-0000-000000000000",0,1
"CN=User1,OU=Users,DC=contoso,DC=com","CN=ComputerB,OU=Computers,DC=contoso,DC=com","00000000-0000-0000-0000-000000000000",1,0
"CN=User1,OU=Users,DC=contoso,DC=com","CN=ComputerC,OU=Computers,DC=contoso,DC=com","00000000-0000-0000-0000-000000000000",0,1
The import process assumes that the user already exists in OVERLAPS and will fail if they are not. To add a new user first, refer the above "user" module.
27.1.3 HTTPS
Used to: * Enable or disable HTTPS * Install a new certificate for HTTPS and create bindings so they will be used by OVERLAPS * Remove existing HTTPS certificate bindings
Enable HTTPS in OVERLAPS and optionally restart the service.
Parameter Name | Description |
---|---|
/restart | Restart the OVERLAPS service on success. |
Disable HTTPS in OVERLAPS and optionally restart the service.
Parameter Name | Description |
---|---|
/restart | Restart the OVERLAPS service on success. |
Install using a Certificate File (*.pfx) with the certificate password (if required).
Parameter Name | Description |
---|---|
/certfile <filename> | The certificate's private key file (*.pfx) |
/password <password> | The password needed to read the private key file |
/store <My|Root> | Whether the certificate is stored in the Personal store (My - used for self-signed certificates), or the Trusted Root Authorities (Root) store. |
/hostname <host> | Specify the URL or semicolon list of hostnames to bind to. |
/ipaddress <ip> | Specify the IP address to bind to. |
/port <port> | The SSL/TLS port (defaults to 443) |
/restart | Restart the OVERLAPS service on success. |
Examples:
olconfig.exe https /certfile "C:\certificates\third-party-private-key.pfx" /password C3rtificateP4ss /restart
Installs the \"third-party-private-key.pfx\" certificate and binds it to the local IP of the server, then restarts OVERLAPS.
olconfig.exe https /certfile "C:\certificates\third-party-private-key.pfx" /password C3rtificateP4ss /store Root /hostname overlaps.contoso.com /ipaddress 192.168.0.4 /restart
Installs the \"third-party-private-key.pfx\" certificate and binds it to a specific hostname and IP address.
olconfig.exe https /certfile "C:\certificates\self-signed-private-key.pfx" /password C3rtificateP4ss /store My /hostname overlaps.contoso.com /ipaddress 192.168.0.4 /port 8443 /restart
Installs the \"self-signed-private-key.pfx\" certificate and binds it to a specific hostname, IP address and port.
olconfig.exe https /certfile "C:\certificates\self-signed-private-key.pfx" /password C3rtificateP4ss /hostname overlaps.contoso.com;*.contoso.com /port 8443
Installs the \"self-signed-private-key.pfx\" wildcard certificate and binds it to both the specific hostname and the wildcard.
Install using an already installed Certificate (in the Local Computer/Personal Store or Trusted Root Authorities).
Parameter Name | Description |
---|---|
/thumbprint <certid> | The certificate's "thumbprint". |
/store <My|Root> | Which store the certificate can be found in. |
/hostname <host> | Specify the URL or semicolon list of hostnames to bind to. |
/ipaddress <ip> | Specify the IP address to bind to. |
/port <port> | The SSL/TLS port (defaults to 443) |
/restart | Restart the OVERLAPS service on success. |
Examples:
olconfig.exe https /thumbprint c6b10ffec9f6a5051a78cc86132f4eddd83cafc3 /password C3rtificateP4ss /store Root /hostname overlaps.contoso.com /ipaddress 192.168.0.4 /restart
olconfig.exe https /thumbprint c6b10ffec9f6a5051a78cc86132f4eddd83cafc4 /password C3rtificateP4ss /store My /hostname overlaps.contoso.com /ipaddress 192.168.0.4 /port 8443 /restart
Disable Client Certificate checks on existing certificate bindings (to stop browsers prompting users for a certificate, requires a server restart).
Unbind an existing certificate binding.
Parameter Name | Description |
---|---|
/hostname <host> | Specify the URL or semicolon list of hostnames to unbind from. |
/ipaddress <ip> | Specify the IP address to unbind from. |
/port <port> | The SSL/TLS port (defaults to 443) |
/restart | Restart the OVERLAPS service on success. |
Examples:
olconfig.exe https /unbind /ipaddress 192.168.12.12 /port 8443
Unbinds the certificate from a specific IP address and port.
olconfig.exe https /unbind /hostname overlaps.contoso.com
Unbinds the certificate from a specific hostname using the default port (443).
27.1.4 Security
Used to:
- Get the systems current Kerberos SPN configuration.
- Enable or disable Kerberos by registering or unregistering SPNs.
Parameter Name | Description |
---|---|
/krbstatus | Show the current Kerberos SPN status |
/enablekrb <http|https|both> | Enable Kerberos encryption on Windows Authentication |
/disablekrb <http|https|both> | Disable Kerberos encryption for Windows Authentication |
Optional Parameters:
Parameter Name | Description |
---|---|
/url <hostname/address> | The hostname or address of the server (defaults to the hostname) |
/account <account> | The service account OVERLAPS runs as (defaults to LOCAL SYSTEM) |