How local Windows user permissions may affect plugins

This topic describes the local Windows users installed on the CPM and how their permission levels may affect plugins.


During the CPM hardening process, three local Windows Service users are created to run the CPM service:

  • PasswordManagerUser

  • PluginManagerUser

  • ScannerUser

These local users only have the necessary permissions to run the required services and plugins. For specific information about these user permissions, see Configures permissions for Local Windows Service users.

Because these users have least privilege, custom plugins that are run by these users may not work after installing or upgrading to a newer version.

Known plugins affected by low privilege level

The following plugins are known to be affected by the low privilege level of local users:

Custom plugins affected by low privilege level

Custom plugins may be affected by the low privilege level of local Windows users. To determine if the plugins are affected, you can test the custom plugins. If they are not running properly, you can fix the plugin.

Test a custom plugin

  • Trigger a password change and/or password verification.

Fix a custom plugin

  • If a plugin fails, modify the plugin to run with PluginManagerUser.

Modify the VB script-based plugins environment

VB scripts require two keys in the registry in order for the plugins to work properly. Use the procedure below to check if these keys exist, and add them if they are not in the registry.

  1. Open the Registry Editor. In File Explorer, enter regedit in the address bar, and press Enter.

  2. Go to HKEY_USERS/.DEFAULT/Software/Microsoft/.

  3. Under Microsoft, look for Windows Script Host/Settings. If you don't find these two keys, continue to the next step.

  4. Right-click Microsoft, select New > Key, and enter Windows Script Host as the name of the first key.

  5. Right-click Windows Script Host, select New > Key, and enter Settings as the name of the second key.