Enable automatic account maintenance using the administrative account

 

On the Domains > Advanced page, you can configure Privileged Access Service to perform automatic account maintenance for domain and local accounts. Under Enable Automatic Account Maintenance you can enable the following:

  • Domain Accounts

    Enables Privileged Access Service to manage passwords for managed domain user accounts. Privileged Access Service detects an out-of-sync password for a managed domain user account during password rotation, login, and checkout. Also, when this policy is enabled and the administrative account is configured, a managed domain user account can be added without a password configured; Privileged Access Service automatically resets the password associated with the domain user account.

  • Local Accounts

    Enables Privileged Access Service to manage passwords for local system accounts on domain-joined Windows systems. Using the domain administrative account, users with the proper permissions can reset out-of-sync account passwords stored in Privileged Access Service. Privileged Access Service detects an out-of-sync password for a managed local system account during password rotation, login, and checkout. Also, when this policy is enabled and the administrative account is configured, a managed local system account can be added without a password configured; Privileged Access Service automatically resets the password associated with the local system account. For information on setting up local system account password reconciliation, see Configuring Windows local account password reconciliation.

    Make sure to enable the corresponding policy in Resources > Systems > Advanced ( see Setting system‑specific advanced optionsfor details).

Before enabling this policy you need to:

Resetting out-of-sync passwords and unlocking managed accounts does not change the domain account privileges or access to data.