Configuring Windows local account reconciliation

You can reset out-of-sync managed local Windows account passwords stored in Privileged Access Service using the following methods:

  • Centrify Client for Windows

  • Local administrator account

  • Domain administrator account

If the client isn't installed, you can use either a local or domain administrator account for account reconciliation.

You can use any of these methods to also unlock accounts. An account is locked after a specified number of unsuccessful login attempts.

This topic includes the following sections:

How account reconciliation works on Windows systems

When a password change operation of an account fails, Centrify PAS retries the change operation periodically. If local account reconciliation (sometimes also called LAPR, or local account password reconciliation) is enabled on the system, then the Centrify PAS also reconciles the password as part of the password change operation.

Centrify PAS initiates a password reset of local managed accounts if it detects an out-of-sync password during account login, account checkout, and rotate operations.

The service logs all events and you can view them in the Resources > Systems > Activity page. You can also build custom reports to view activity; for details, see How to create a new report.

Note:   If you configure account reconciliation using the client and you also specify either a local administrator or domain administrator account, the service will try to use the client first to reset the account password. If for some reason the client is not available or encounters a connection issue, then the service will use either the local administrator or domain administrator account, whichever is configured. If both the local and domain administrator accounts are configured and the client account reconciliation already failed, the service uses the local administrator. If then the local administrator account fails to reconcile accounts, the service will stop there (it won't use the domain administrator to reconcile accounts).

For information on configuring password reconciliation, see the following instructions. If you're using the client and one of the administrator accounts, be sure to follow both sets of procedures.

Configuring the Centrify Client for Windows for local Windows account reconciliation

This section includes the procedure to enable password reconciliation to reset out-of-sync account passwords and unlock local account passwords stored in Privileged Access Service on Windows systems that have the Centrify Client for Windows installed and enrolled.

For Centrify Client for Windows installation information, see Installing and using the Centrify Client for Windows

Note:   If you configure the client to handle account reconciliation, any Management Mode settings in Resources > Systems Settings do not apply.

To configure Windows account reconciliation with the Centrify Client for Windows:

  1. In the Admin Portal, navigate to Resources > Systems and then select the system where you want to enable password reconciliation.

  2. Click Client Profile to view the client details and make sure that the system has the client installed and enrolled.

  3. Click Advanced and in the Account Reconciliation Settings area, select one or both of the following:

    • Local Account Automatic Maintenance: Select this option so that Centrify PAS can reset the local account passwords when needed.

    • Local Account Manual Unlock: Select this option so that Centrify PAS can unlock a locked account. An account is locked after a specified number of unsuccessful login attempts.

      Note:   Although the Verify Configuration button is directly under the local account reconciliation settings, it doesn't affect the client settings; you use this button when you set the local or domain administrator account for local account reconciliation.

  4. Click Save.

     

Configuring a local administrator for local Windows account reconciliation

For an additional layer of security, you can specify a local administrator account to manage the local Windows accounts. You can use any account that is in the local Administrators group.

Note:   If using an account in the local Administrators account, you need to disable the following policy:
User Account Control: Run all administrators in Admin Approval Mode security policy setting
You don't need to do this for the built-in Administrator account. For more information, please see this article.

Note:   The Management Mode and Proxy settings configured for a system (located in Resources > Systems > Settings) do apply if local account password reconciliation is enabled but only if the Management Mode is set to use SMB. For management mode, the system defaults to SMB when password reconciliation is configured.

To configure a local administrator account for local Windows account reconciliation

  1. In the Admin Portal, navigate to Resources > Systems and then select the system where you want to enable password reconciliation.

  2. Click Advanced and in the Account Reconciliation Settings area, select one or both of the following:

    • Local Account Automatic Maintenance: Select this option so that Centrify PAS can reset the local account passwords when needed.

    • Local Account Manual Unlock: Select this option so that Centrify PAS can unlock a locked account. An account is locked after a specified number of unsuccessful login attempts.

      Note:   Although the Verify Configuration button is directly under the local account reconciliation settings, it doesn't affect the client settings; you use this button when you set the local or domain administrator account for local account reconciliation.

  3. In the Administrative Account Settings area, click Set next to Local Administrative Account and specify the desired account.

  4. Click Save.

     

Configuring a domain administrator for local Windows account reconciliation

Using a domain administrator account, users with the proper permissions can reset account passwords and unlock local account passwords stored in Privileged Access Service. All password rotations are done using the domain administrator account too.

If a password change fails because the password is out of sync, the service generates an event, and performs a hard password reset on the local account password.

Note:   The Management Mode and Proxy settings configured for a system (located in Resources > Systems > Settings) do apply if local account password reconciliation is enabled but only if the Management Mode is set to use SMB. For management mode, the system defaults to SMB when password reconciliation is configured.

For each Windows system that you want to configure for local account password reconciliation, you need to configure settings for both the domain and each individual system. The table below summarizes the changes for each. Below the table are the procedures to follow for each kind of setting.

Required Domain Settings Required System Settings
  • Set an administrative account (see Setting domain administrative accounts).

    This account is used to unlock/reset passwords for domain accounts and local accounts on systems joined to this domain.

  • Enable account management settings for domain accounts and Windows local accounts. See Setting domain-specific advanced options.

    Make sure the corresponding settings are also enabled in Systems > Advanced.

  • Set a domain at the system level to indicate that the system is joined to a specific domain.

    To ensure that password operations succeed, also make sure the system is joined to the domain outside of the Privileged Access Service.

  • Enable account management settings for the local account (Setting system‑specific advanced options).

    Make sure the corresponding settings are also enabled in Domains > Advanced.

  • Enable the Unlock permission for system users that will perform unlock operations on that system (this is applicable to manual unlock operations where the manual unlock policy is enabled). See Additional system permissions

  • Verify the configuration using the Verify Configuration button.

 

The Privileged Access Service cannot reconcile domain administrative account passwords that may be locked or out of sync. If the domain administrative account encounters an issue, operations using the domain administrative account will fail and an error message is displayed when you browse to the Resources portion of the Admin Portal. To troubleshoot the issue, see Troubleshooting domain administrative accounts.

Configuring the domain for local account password reconciliation

To configure the domain for local account password reconciliation:

Note:   The user logged in to the Admin Portal must have the Edit permission for the domain to configure Administrative Account Settings described in the following procedure.

  1. In the Admin Portal, click Resources >Domains to display a list of domains.
  2. Select the domain and then click the Advanced page.

  3. If it isn't configured already, for the Administrative Account, click Select and enter the domain administrative account that will be used to manage Windows domain-joined systems (see Setting domain administrative accounts).

    The domain administrative account must be a member of the Administrators group on the system. By default, the AD Domain Admins group is a member of the local Administrators group.

  4. Select the desired account reconciliation options:

    • Domain Account Automatic Maintenance: Select this option to manage the passwords for domain accounts. For more details, see see Enable automatic account maintenance using the administrative account.

    • Domain Account Manual Unlock: Select this option to enable Privileged Access Service to unlock any locked domain accounts. For more details, see Enable manual account unlock using the administrative account.

    • Windows Local Account Automatic Maintenance: Select this option to manage the passwords for local Windows accounts.

    • Windows Local Account Manual Unlock: Select this option to enable Privileged Access Service to unlock any locked local Windows accounts.

  5. Click Save.

     

Configuring a system to use the domain administrator account for local account password reconciliation

Note:   The user logged in to the Admin Portal must have the Grant and View permission for the associated domain and the Edit permission for the system in order to configure the settings described in the following procedure.

To configure a system to use the domain administrator account for local account password reconciliation:

  1. Make sure the Windows system where you are configuring password reconciliation is domain-joined.

  2. In the Admin Portal, click Resources > Systems to display a list of systems.
  3. Select the system and then click the Advanced page.
  4. In Domain Settings, click Select and enter the domain administrative account that will be used to manage Windows domain-joined systems. (Also see Setting system‑specific advanced options for additional information.)
  5. In Account Reconciliation, enable one or both of the following settings to successfully manage the passwords for local system accounts:

    • Local Account Automatic Maintenance
    • Local Account Manual Unlock

    Make sure the corresponding settings for Local Accounts are enabled in the Admin Portal > Resources > Domains > Advanced page (described in the previous procedure).

  6. In the Admin Portal, click Resources > Systems > Permissions, and select the Unlock Account permission for users you want to have the ability to manually unlock managed account passwords.

    This can be done globally or at the system level. (See Setting global account permissions or Setting system-specific permissions .)

  7. Once the configuration is complete, select Verify Configuration in Admin Portal >Resources > Systems > Advanced to check that local account password reconciliation is properly configured.

    Make sure the domain administrator account has the View permission in order to verify the configuration.

    If the settings are configured correctly, the message Verification completed successfully. displays. If the settings are not configured correctly, an error message displays. Update your configuration and try Verify Configuration again.

    Note:   If you configure the system with both a local administrator and a domain administrator account, use the Verify Configuration button verifies the local administrator account. To verify the domain setting, you need to remove the local administrator.

    Note:   If you also configure password reconciliation on systems with Centrify Client for Windows, Centrify PAS will only use the domain administrative account to reconcile the out-of-sync password if it encounters a connection issue using the Centrify Client. See Configuring the Centrify Client for Windows for local Windows account reconciliation for configuration details.