AdminTool commandline

How to Use the Commandline Version of the AdminTool

The commandline version of the AdminTool can be used to perform some server tasks via the command line. It helps an administrator to perform configurations on several EgoSecure Servers by pushing the script to all servers simultaneously to automate server tasks.

Run cmd as administrator.
Define the path to the AdminTool.exe. By default, the following path is used: C:\Program Files\EgoSecure\EgoSecure Server\

cd "C:\Program Files\EgoSecure\EgoSecure Server\"

Press Enter.
Type AdminTool.exe and add a command from this document. In the example below the /showClientSettings command is used:

AdminTool.exe /showClientSettings

Press Enter.
Now you can see the list of settings currently applied to all Agents managed in all EgoSecure Servers.

Display all available commands

The following command displays all available commands

admintool.exe/?

Server Configuration

For the commands in this section, restart the EgoSecure Server service to apply the changes.

Command	Addition Description
/serverType SERVER_TYPE	Defines a type of the installed server. SERVER_TYPE: 0 - management (default), 1 - shadowcopy, 2 – management + shadowcopy
/xmlrpcport AGENT_PORT	Port on the Server for incoming connections used by Agents.
/agentPort AGENT_NOTIFICATION_PORT	Port on the Agents for incoming connections.
/httpsPort HTTPS_PORT	Port for incoming connections on the Server via HTTPS.
/dsType DIRECTORY_SERVICE_TYPE	Changes directory service type. DIRECTORY_SERVICE_TYPE: 0 - none (own), 1 - AD, 2 - Novell, 3 – LDAP, 4 – Azure AD
/ownDirectory OWN_DIR_SUPPORT	Enables or disables own directory support mode (additionally for AD or Azure AD) OWN_DIR_SUPPORT: 0 - turn off, 1 - turn on
/domainController DOMAIN_CONTROLLER_NAME (if AD is selected) or or	Adds new domain controller or changes parameters for an existing one (if AD is selected).
/domainController LDAP_SERVER_NAME	Adds new domain controller or changes parameters for an existing one (if LDAP is selected).
/domainController NDS_SERVER_NAME	Adds new domain controller or changes parameters for an existing one (if Novell is selected).
/domainController DIRECTORY_ID	Adds new domain controller or changes parameters for an existing one (if Azure AD is selected).
/adUser DOMAIN_CONTROLLER_USER_NAME	If AD is selected.
/adUser LDAP_SERVER_USER_NAME	If LDAP selected.
/adUser NDS_SERVER_USER_NAME	If Novell is selected.
/adUser APPLICATION_ID	If Azure AD is selected.
adPassword DOMAIN_CONTROLLER_USER_PASSWORD	Iif AD is selected.
/adPassword LDAP_SERVER_USER_PASSWORD	Iif LDAP is selected.
/adPassword NDS_SERVER_USER_PASSWORD	If Novell is selected
/adPassword APPLICATION_PASSWORD/CLIENT_SECRET	If Azure AD is selected
/dsContext DC_USER_CONTEXT	Only if Novell or LDAP are selected
/dsStartOU SYNC_START_OU	Only if AD is selected
/dbServer DATABASE_SERVER
/dbMultiSubnetFailover MULTISUBNETFAILOVER_ENABLE	Enables MultiSubnetFailover on the Microsoft SQL Server if Always On availability groups are set up . 0 - no (default), 1 – yes. For details about MultiSubnetFailover, see the Microsoft article.
/createDB	Creates a database.
/dbServer DATABASE_SERVER
/dbName DATABASE_NAME
/dbUserName DATABASE_USER_NAME
/dbPassword DATABASE_USER_PASSWORD
/serverWindows Log USE_WINDOWS_LOG	USE_WINDOWS_LOG: 0 – EgoSecure Server does not write information about activities to the Windows Event Viewer, 1 – write EgoSecureServer events to the Windows Event Viewer
/resetDB DATABASE_RESET_TO_DEFAULT
/acceptAudit ACCEPT_AUDIT_DATA	This option defines whether the server should accept audit data from clients: 0 - no, 1 – yes
/acceptShadowcopy ACCEPT_SHADOWCOPY_DATA	This option defines whether the EgoSecure Server receives shadowcopy data from Agents and, therefore, whether it is available to download a shadow copy of a file from Console: 0 - no, 1 - yes
/acceptDevices ACCEPT_DATA_FOR_DEVICES_DB	This option defines whether the server should accept inventory data (devices DB) from clients: 0 - no, 1 - yes
/logonSelfInit SELF_INIT_MODE	This option defines whether the first logged-in user receives super administrator privileges. 0 - no (default), 1 – yes Before performing /logonSelfInit To perform this command, make sure that a user exists in the EgoSecure database. The user appears in the EgoSecure database if one of the following is performed: Database is synchronized with the directory service. Agent is installed locally and connected to the EgoSecure Server (Own directory). User is manually created under User management and his SID is manually added (Own directory).
/slType SERVER_SERVICE_LOGIN_TYPE	SERVER_SERVICE_LOGIN_TYPE: 0 - system account (default), 1 - user account
/accName userAccountName
/accPassword userAccountPassword
/enableIPv6 ENABLE_IPV6	ENABLE_IPV6: 0 - disable IPv6. IPv4 will be used instead, 1 - enable IPv6.
/sp NEW_PASSWORD /spOld OLD_PASSWORD	These options allow to change the supervisor password if the current one is known.
/sp NEW_PASSWORD /securityCode SECURITY_CODE	These options allow to change the supervisor password if the current one is lost. For details about this way of supervisor password resetting, contact the support at helpdesk@matrix42.de
/disableAdmin NAME	This option allows to disable an account of an administrator or a super administrator. Disabled admin can not login into the Console until enabled back, but password can be changed.
/disableAdmin NAME /securityCode SECURITY_CODE	These options allow to disable the supervisor account. Disabled supervisor can not login into the Console until enabled back, but password can be changed. For details about this way of supervisor account disabling, contact the support at helpdesk@matrix42.de
/enableAdmin NAME	This option allows to enable a disabled account of an administrator or a super administrator.
/enableAdmin NAME /securityCode SECURITY_CODE	These options allow to enable the disabled supervisor account. For details about this way of supervisor account enabling, contact the support at helpdesk@matrix42.de

Server Settings

Command	Additional Information
/impdir ACL_IMPORT_DIR
/impdirsuccess IMPORT_SUCCESS_DIR
/impdirfail IMPORT_FAIL_DIR
/serverLogsTime LOG_TIME_LIMIT
/serverLogsSize LOG_SIZE_LIMIT
/serverLogsLevel LOG_LEVEL	LOG_LEVEL: 1 – normal, 2 – administration, 3 - debug (default), 4 - none
/showServers	Displays the list of EgoSecure and ShadowCopy servers.
/deleteServer SERVER_NAME	Removes server from the list by name.
/addServer SERVER_NAME	Adds a server alias to the list of servers.
/port PORT
/type SERVER_TYPE	SERVER_TYPE: 0 - Management (default), 1 - ShadowCopy, 2 – Management + ShadowCopy
/priority PRIORITY
/tenant	Parameter is placed after every setting parameter to specify to which tenant these settings must be applied /tenant TENANT_NAME - apply settings to the Agents of the specified tenant by it's name /tenant DEFAULT - apply settings to the Agents of the <default> tenant /tenant ALL - apply settings to the Agents of ALL tenants Example: permitting network shares control for a tenant with name “EgoSecure” /allowNetworkSharesControl `1` /Tenant EgoSecure

Client Settings

Command	Additional Information
/agentLogsTime LOG_TIME_LIMIT
/agentLogsSize LOG_SIZE_LIMIT
/agentLogsLevel LOG_LEVEL	LOG_LEVEL: 1 – normal, 2 – administration (default), 3 – debug, 4 - none
/driveLetter FIRST_DRIVE_LETTER
/allowAccessQueries ALLOW_ACCESS	ALLOW_ACCESS: 0 - disallow users to send requests for access rights changing, 1 – allow request for access rights changing
/allowDeleteLogs ALLOW_DELETE	ALLOW_DELETE: 0 – disallow users to delete log files of the EgoSecure Agent, 1 – allow log files delete
/commonOpsTimeout TIMEOUT_IN_SECONDS	How long the client should wait for response from the server during common operations
/longOpsTimeout TIMEOUT_IN_SECONDS	How long the client should wait for response from the server during long operations such as Update of Agents
/allowPrinterControl ALLOW_PRINTER_CONTROL	ALLOW_PRINTER_CONTROL: 0 – disallow EgoSecure Agent to control an access to printers instead of Windows printer control, 1 – allow EgoSecure Agent to control an access to printers
/allowNetworkSharesControl ALLOW_CONTROL	ALLOW_CONTROL: 0 – disallow EgoSecure Agent to control an access to network shares, 1 – allow network shares control
/allowThinClientControl ALLOW_CONTROL	ALLOW_CONTROL: 0 – disallow EgoSecure Agent to control an access to thin client storage, 1 – allow thin client storage control
/allowHddFullControl ALLOW_HDD_FULL_CONTROL	ALLOW_HDD_FULL_CONTROL: 0 – disallow additional hard disks control, 1 – allow additional hard disks control. Additional hard disks are controlled like external media – encryption and file type filters will be applied.
/denyLowLevelDiskAccess DENY_LL_DISK_ACCESS	DENY_LL_DISK_ACCESS: 0 – allow low-level disk access, 1 – disallow low-level disk access
/loginTimeout TIMEOUT_IN_MINUTES	The period of time for automatic logoff procedure, and turning back to the rights of the main user after the “LoginAs” operation
/checkAccountExpiration CHECK_ACCOUNT_EXPIRATION	CHECK_ACCOUNT_EXPIRATION: 0 – do not use account expiration date from the Active Directory, and do not deny access for the user if the account has expired, 1 – deny access for the expired account
/agentWindowsLog USE_WINDOWS_LOG	USE_WINDOWS_LOG: 0 – EgoSecure Agents do not write its activity to the Windows Event Viewer, 1 – write EgoSecure events to the Windows Event Viewer
/agentSyslog USE_SYSLOG	USE_SYSLOG: EgoSecure Agents do not write its activity to the Syslog, 1 – write EgoSecure events to the Syslog
/restrictKbdAccess RESTRICT_KBD_ACCESS	RESTRICT_KBD_ACCESS: 0 – EgoSecure Agents do not restrict access to additional keyboards, 1 – EgoSecure Agents restrict access to additional keyboards
/autoKbdRegister REGISTER_KBD	REGISTER_KBD: 0 - EgoSecure Agent does not save newly connected keyboards to the user list of permitted devices, only previously registered keyboards and the primary keyboard are permitted, 1 – EgoSecure Agent saves all connected keyboards to the user list of permitted devices
/restrictMouseAccess RESTRCIT_MOUSE_ACCESS	RESTRCIT_MOUSE_ACCESS 0 – EgoSecure Agents do not restrict access to additional mouses, 1 – EgoSecure Agents restricts access to additional mouses
/archivesScanning ARCHIVES_SCANNING	0 – file type filter does NOT scan archives, 1 – file type filter scans archives
/agentTokenCheck ENABLE_TOKEN_CHECK	ENABLE_TOKEN_CHECK: 0 – disable the authorization token check on Agents. 1 – enable the authorization token check on Agents to protect them from being replaced.
/denyStorageExecuteAccess DENY_STORAGE_EXECUTE	DENY_STORAGE_EXECUTE: 0 – File execute access is not forbidden within this option. 1 – Forbid to execute files on CD\DVD and external storage (except mobile devices). Works independently of the Access Control product

SSL Certificates

Command	Additional Information
/importCert FILE_PATH	Imports a certificate of the given type from the FILE_PATH
/type CERT_TYPE	CERT_TYPE: 2 – Server, 3 – Agent, 4 - Console
/pwd PASSSWORD	Password for a private key that protects a certificate
/exportCert FILE_PATH	Exports a certificate of the given type to the FILE_PATH
/type CERT_TYPE	CERT_TYPE: 2 – Server, 3 – Agent, 4 - Console
/pwd PASSSWORD	Password for a private key that protects a certificate
/enableSSL ENABLE_SSL	ENABLE_SSL: 0 – disables communication via SSL, 1 – enables communication via SSL
/allowInsecureConnect ALLOW_INSECURE_CONNECT	ALLOW_INSECURE_CONNECT: 0 – connection between EgoSecure components must be established only via SSL, 1 – allows to communicate without SSL if connection via SSL is not possible.

Inheritance Settings

Command	Additional Information
/inheritancePriorityAC PRIORITY_AC	PRIORITY_AC: 0 – access permissions have priority, 1 – access restrictions have priority
/inheritancePriorityCP PRIORITY_CP	PRIORITY_CP: 0 – encryption permissions have priority, 1 – encryption restrictions have priority If permissions have a priority, the user will get an access to a device as soon as one of his groups has access rights for this device. Otherwise, the ‘no access’ rights in one of his groups will be enough to deny an access to the device for this user.
/inheritanceGroups GROUPS	GROUPS: 0 – EgoSecure groups, 1 – AD/Novell groups, 2 – EgoSecure and AD/Novell groups Here you can define rights of which groups may be inherited by a user.

Command

Additional Information

/inheritancePriorityAC PRIORITY_AC

PRIORITY_AC: 0 – access permissions have priority, 1 – access restrictions have priority

/inheritancePriorityCP PRIORITY_CP

PRIORITY_CP: 0 – encryption permissions have priority, 1 – encryption restrictions have priority

If permissions have a priority, the user will get an access to a device as soon as one of his groups has access rights for this device. Otherwise, the ‘no access’ rights in one of his groups will be enough to deny an access to the device for this user.

/inheritanceGroups GROUPS

GROUPS: 0 – EgoSecure groups, 1 – AD/Novell groups, 2 – EgoSecure and AD/Novell groups

Here you can define rights of which groups may be inherited by a user.

Applying Settings to Tenants

Command	Additional Information
/tenant	Parameter is placed AFTER setting parameters to specify to which tenants these settings are applied /tenant TENANT_NAME - apply settings to the Agents of the specified tenant by it's name /tenant DEFAULT - apply settings to the Agents of the <default> tenant /tenant ALL - apply settings to the Agents of ALL tenants

Command

Additional Information

/tenant

Parameter is placed AFTER setting parameters to specify to which tenants these settings are applied

/tenant TENANT_NAME - apply settings to the Agents of the specified tenant by it's name
/tenant DEFAULT - apply settings to the Agents of the <default> tenant
/tenant ALL - apply settings to the Agents of ALL tenants

Example

Permitting network shares control for a tenant with name "EgoSecure":

/allowNetworkSharesControl 1 /Tenant EgoSecure

Settings used with /tenant parameter

Client Settings
Inheritance settings
Operations (server commands)
Database Migration – exception is /importAdminRights command as it applies independently of tenants

Server import settings:

Command	Additional Information
/impdir ACL_IMPORT_DIR	This command is NOT executed with /tenant ALL, because each tenant may have different folders.
/impdirsuccess IMPORT_SUCCESS_DIR
/impdirfail IMPORT_FAIL_DIR

Cryption Mobile option:

Command	Additional Information
/cpmOpen CPM_OPEN_TYPE	CPM_OPEN_TYPE: 0 - decrypt to the temporary folder on the computer, 1 - decrypt to the temporary folder on the same drive, 2 - decrypt directly

Operations (server commands)

Command	Additional Information
/sync	Start synchronization (with new user activation option)
/activateUsers ADDONS
/activateComputers ADDONS
/syncLog SYNC_LOG	SYNC_LOG: 0 - disables synchronization log, 1 - enables synchronization log
/removeOldADObjects	Remove old AD objects
/license LICENSE_FILE_PATH /user USER_NAME	Apply license file on the server
/licenseCode ACTIVATION_CODE /user USER_NAME /email EMAIL /company COMPANY_NAME	Apply license activation code on the server
/install [all] [COMPUTER_NAMES]	Install the EgoSecure Agent for all or selected computers only
/update [all] [COMPUTER_NAMES]	Update the EgoSecure Agent for all or selected computers only

ADDONS – sum of following numbers (in decimal format), showing which products must be activated:

1 – Secure Audit
2 – Removable Device Encryption
4 – Shadow Copy
8 – Cloud Storage Encryption
16 – Application Control
32 – Local Folder Encryption
128 – Access Control
256 – Green IT
512 – Secure Erase
1024 – BitLocker Management
2048 – EgoSecure Antivirus
8192 – Insight Analysis
16384 – Inventory
32768 – Network Share Encryption
65536 – Permanent Encryption
131072 – Password Manager
262144 – IntellAct Automation
1048576 – DLP - Data in Use
2097152 – DLP - Data at Rest

Administrators

Command	Additional Information
/sp NEW_PASSWORD /spOld OLD_PASSWORD	Modify Supervisor password (existing password required)
/sp FIRST_PASSWORD	Define a supervisor password if it wasn’t defined during first console login
/addAdmin NAME	Create an account of a super administrator
/pwd PASSWORD	If this parameter is not specified, super administrator can login without a password
/email EMAIL
/tenant TENANT_NAME	To assign a tenant with a specific name to the super administrator; /tenant DEFAULT – to assign a default tenant to the super administrator

Database Migration

Command	Additional Information
/importCFDB CFDB_FILE_PATH	Import file formats to transfer them from one database to another. To see the list of imported file formats, go to Product settings \| Filters \| File type filters and click the Define file formats button in the lower area.
/exportCFDB CFDB_FILE_PATH	Export file formats to transfer them from one database to another. To see the list of exported file formats, go to Product settings \| Filters \| File type filters and click the Define file formats button in the lower area.
/exportDB FILE_PATH [/products] [/acl] [/pd] [/es] [/keys] [/ftf]	Export user/computer settings, access rights, products etc. from the database into a file. /products - product activations for a user/computer /acl - access rights /pd - permitted devices, device models and media /es - encryption settings /keys - encryption keys /ftf - export file type filters and filter settings for users When exporting settings containing filters with additional file formats, it is essential to also export the corresponding file formats using /exportCFDB.
/importDB FILE_PATH [/identity IDENTITY]	Import user/computer settings, access rights, products etc. from a file. IDENTITY - key field for user identification: sid (default), guid, email, name. When importing data containing filters that reference additional file formats, first import the corresponding file formats using /importCFDB into an empty database before using /importDB. Examples: AdminTool.exe /exportDB C:\MyDB.dat /acl /pd /products /es /keys AdminTool.exe /importDB C:\MyDB.dat /identity email
/exportAdminRights RIGHTS_FILE_PATH	Export administrative roles.
/importAdminRights RIGHTS_FILE_PATH	Import administrative roles.
/importLayout XML_FILE_PATH	Import console layout settings from the file (saved per console).

Full Disk Encryption Configuration

Command	Additional Information
/installCPHDD MACHINE_NAME	Install Matrix42 Full Disk Encryption on the target machine.
/initFDE MACHINE_NAME	Initialize FDE on the target machine (Matrix42 Full Disk Encryption must be installed).
/initPBA MACHINE_NAME	Initialize PBA on the target machine (Matrix42 Full Disk Encryption must be installed and FDE initialized).
/encryptDrive MACHINE_NAME	Encrypt drive C on the target machine (you can also pass the drive letter within quotes: "MACHINE_NAME D").

Information

Command	Additional Information
/CryptionProInfo [OUTPUT_FILE_PATH]	Information about the number of users with activated Full Disk Encryption.
/showClientSettings	Displays the current client settings.
/out OUTPUT_FILE_PATH /append	Redirects all output information into the specified file instead of the console output. With the append command the log output is not overwritten after a new command with the out parameter is used.
/waitInput	Waiting for user input on exit.