Configuring Windows local account password reconciliation

You can reset out-of-sync managed local Windows account passwords stored in Privileged Access Service using the following methods:

  • Centrify Client for Windows
  • Centrify Connector (uses a domain administrative account configured in the Admin Portal)

When a password change operation of an account fails, Centrify PAS retries the change operation periodically. If local Account Reconciliation is enabled on the system, then the Centrify PAS also reconciles the password as part of the password change operation. A password reset of local managed accounts is initiated if an out-of-sync password is detected during account login, account checkout, and rotate operations.

All events are logged and can be viewed in the Admin Portal Resources > Systems > Activity page. You can also build custom reports to view activity, see How to create a new report.

Note:   If you configure password reconciliation using both the Centrify Client for Windows and via the Centrify Connector (using a domain administrative account), Centrify PAS attempts to use the Centrify Client for Windows method first. If Centrify PAS encounters a connection issue using the Centrify Client, it will then use the domain administrative account via the Centrify Connector to reconcile the out-of-sync password.

For information on configuring password reconciliation, see the following instructions:

Method Used: Use the following instructions:
Centrify Client for Windows Password reconciliation using the Centrify Client for Windows
Centrify Connector (uses a domain administrative account) Password reconciliation using a domain administrative account
Both (Centrify Client for Windows and a domain administrative account)

Password reconciliation using a domain administrative account

Password reconciliation using a domain administrative account

Password reconciliation using the Centrify Client for Windows

See the following procedures to enable password reconciliation to reset out-of-sync account passwords and unlock local account passwords stored in Privileged Access Service on Windows systems that have the Centrify Client for Windows installed. Before you configure local account password reconciliation for Windows systems, make sure version 20.3 or newer of the Centrify Client for Windows is installed on the Windows system.

For Centrify Client for Windows installation information, see Installing and using the Centrify Client for Windows

Note:   The Management Mode and Proxy settings configured for a system (located in Admin Portal > Resources > Systems > Settings) still apply if local account password reconciliation is enabled.

To configure password reconciliation on Windows systems with the Centrify Client installed:

  1. In the Admin Portal, click Resources > Systems and then select the system where you want to enable password reconciliation.

  2. Make sure the system has version 20.3 or later of the Centrify Client for Windows installed.

    To determine the client version installed on the system, check the Resources > Systems > Client Profile page. If the system does not have the client installed, the message Centrify Client not installed is displayed.

  3. Once you verify that the system has the Centrify Client for Windows installed, click the Advanced page.
  4. In Account Reconciliation, enable one or both of the following policies to successfully manage the passwords for local system accounts:

    • Local Account Automatic Maintenance
    • Local Account Manual Unlock

    Note:   If you also configure password reconciliation using a domain administrative account, Centrify PAS will only use the domain administrative account to reconcile the out-of-sync password if it encounters a connection issue using the Centrify Client. See Password reconciliation using a domain administrative account for configuration details.

  5. In the Admin Portal, click Resources > Systems > Permissions, and select the Unlock Account permission for users you want to have the ability to manually unlock managed account passwords.

    This can be done globally or at the system level. (See Setting global account permissionsSetting system-specific permissions .)

    Note:   The Verify Configuration button, does not apply when systems are configured for account reconciliation using the Centrify Client for Windows.

Password reconciliation using a domain administrative account

Using a domain administrative account, users with the proper permissions can reset out of sync account passwords and unlock local account passwords stored in Privileged Access Service. All password rotations are done using the domain administrative account. If the password change fails because the password is out of sync, an event is created, and a hard password reset is done. Local account password reconciliation (LAPR) is only available for managed local accounts on domain-joined Windows systems.

Note:   The Management Mode and Proxy settings configured for a system (located in Admin Portal > Resources > Systems > Settings) do not apply if local account password reconciliation is enabled. For management mode, the system defaults to SMB when password reconciliation is configured. If reconciliation is not enabled for a system using the Centrify Connector, then management mode and proxy account settings are used for managed accounts.

Before you configure local account password reconciliation, make sure that the Centrify Connector is version 19.5 or newer, and also that systems with a domain set are joined to that domain.

For each Windows system that you want to configure for local account password reconciliation, configure the following Admin Portal settings at the domain level and for each individual system joined to the domain. For detailed instructions, see the procedures following this summary.

Required Domain Settings Required System Settings
  • Set an administrative account (see Setting domain administrative accounts).

    This account is used to unlock/reset passwords for domain accounts and local accounts on systems joined to this domain.

  • Enable account management policies for local accounts (you can enable one or both policies). See Setting domain-specific advanced options.

    Make sure the corresponding policies are also enabled in Systems > Advanced.

  • Set a domain at the system level to indicate that the system is joined to a specific domain.

    To ensure that password operations succeed, also make sure the system is joined to the domain outside of the Privileged Access Service.

  • Enable account management policies for the local account (Setting system‑specific advanced options).

    Make sure the corresponding policies are also enabled in Domains > Advanced.

  • Enable the Unlock permission for system users that will perform unlock operations on that system (this is applicable to manual unlock operations where the manual unlock policy is enabled). See Additional system permissions

  • Verify the configuration using the Verify Configuration button.

 

The Privileged Access Service cannot reconcile domain administrative account passwords that may be locked or out of sync. If the domain administrative account encounters an issue, operations using the domain administrative account will fail and an error message is displayed when you browse to the Resources portion of the Admin Portal. To troubleshoot the issue, see Troubleshooting domain administrative accounts.

To configure domain settings for local account password reconciliation:

Note:   The user logged in to the Admin Portal must have the Edit permission for the domain to configure Administrative Account Settings described in the following procedure.

  1. In the Admin Portal, click Resources >Domains to display a list of domains.
  2. Select the domain and then click the Advanced page.

  3. If it isn't configured already, in the Administrative Account text box, click Select and enter the domain administrative account that will be used to manage Windows domain-joined systems (see Setting domain administrative accounts).

    The domain administrative account must be a member of the Administrators group on the system. By default, the AD Domain Admins group is a member of the local Administrators group.

  4. Under Enable Automatic Account Maintenance, check the box for Local Accounts to enable Privileged Access Service to successfully manage the passwords for local Windows system accounts.

    You can also check the box for Domain Accounts to enable Privileged Access Service to successfully manage the passwords for domain accounts (see Enable automatic account maintenance using the administrative account).

  5. Under Enable Manual Account Unlock, check the box for Local Accounts to enable Privileged Access Service to manually unlock managed local system accounts.

    You can also check the box for Domain Accounts to enable Privileged Access Service to manually unlock managed domain accounts (see Enable manual account unlock using administrative account).

To configure system settings for local account password reconciliation:

Note:   The user logged in to the Admin Portal must have the Grant and View permission for the associated domain and the Edit permission for the system in order to configure the settings described in the following procedure.

  1. Make sure the Windows system where you are configuring password reconciliation is domain-joined.

  2. In the Admin Portal, click Resources > Systems to display a list of systems.
  3. Select the system and then click the Advanced page.
  4. In Domain Settings, click Select and enter the domain administrative account that will be used to manage Windows domain-joined systems. (Also see Setting system‑specific advanced options for additional information.)
  5. In Account Reconciliation, enable one or both of the following policies to successfully manage the passwords for local system accounts:

    • Local Account Automatic Maintenance
    • Local Account Manual Unlock

    Make sure the corresponding policies for Local Accounts are enabled in the Admin Portal > Resources > Domains > Advanced page (described in the previous procedure).

  6. In the Admin Portal, click Resources > Systems > Permissions, and select the Unlock Account permission for users you want to have the ability to manually unlock managed account passwords.

    This can be done globally or at the system level. (See Setting global account permissionsSetting system-specific permissions .)

  7. Once the configuration is complete, select Verify Configuration in Admin Portal > Resources > Systems > Advanced to check that local account password reconciliation is properly configured.

    Make sure the domain administrator account has the View permission in order to verify the configuration. If the settings are configured correctly, Verification completed successfully. is displayed. If the settings are not configured correctly, an error message is displayed. Update your configuration and try Verify Configuration again.

    Note:   If you also configure password reconciliation on systems with Centrify Client for Windows, Centrify PAS will only use the domain administrative account to reconcile the out-of-sync password if it encounters a connection issue using the Centrify Client. See Password reconciliation using the Centrify Client for Windows for configuration details.