After you run discovery jobs to add services that run under local or domain accounts, you need to perform a few additional steps to enable automated password management for each service. Keep in mind that the service account is the account that runs an application service or scheduled task. Automated password management also requires an administrative account. The administrative account is the account that rotates the service account password.
To prepare for automated password rotation of service account passwords, you need to:
- Identify a stored administrative account that will be used to manage the password for service account. The account must be a domain account stored in the Privileged Access Service and must have the Rotate permission. For more information about granting permission to an account, see Assigning task-specific permissions. For an overview of what different permissions allow users to so, see Assigning permissions.
- Determine whether you need to create a special account—called a multiplexed account—to ensure password synchronization if a service account runs on multiple computers. For more information about multiplexed accounts, see Adding multiplexed accounts.
- Set the global- or system-specific password rotation policy on the systems where the service runs. For more information about setting the password rotation policy, see Enable periodic password rotation.
- Update the service settings to enable automated password management.
To update service settings:
- Click Resources, then Services, then select a service.
- Click Select to search for and select a domain account.
Type a search string to locate the appropriate account.
Select the account in the list of results, then click Add.
Type an optional description for the service.
Verify the service type and name.
Leave Enable management of this application password unselected to continue using the discovered service account.
You can select Enable management of this application password if you want the password for the service account to be managed by the Zero Trust Privileged Access Service. However, this option requires you to create a multiplexed account to replace the service account that was discovered.
Because additional steps are required to replace the discovered service account, you should not select Enable management of this application password unless you have prepared accounts as described in Adding multiplexed accounts. You can create and configure multiplexed accounts before or after updating the other service settings.
The remaining fields are only applicable after you select Enable management of this application password to automate password rotation. For more information about configuring automatic password rotation, see Automating password rotation.
Click Save to save the service settings.
If a service is running under its account when it is time to rotate the password, password rotation is skipped until the service session ends.