In most cases, you add services to Privileged Access Service by running discovery jobs that scan your network for information about computers in Active Directory domains. However, you can also manually add services on a system-specific basis.
To add services manually, you must have the following administrative permissions:
- Edit permission on the target system.
- Checkout permission for the administrative account.
- Checkout and Edit permission for the sub-accounts associated with the multiplexed account for the service.
For more information about setting permissions, see Setting global system permissions and Setting global account permissions. If you want to enable automatic password management for the service, you must also create two new accounts to use as the multiplexed account. For more information about preparing a multiplexed account, see Adding multiplexed accounts.
To manually add a service:
- In the Admin Portal, click Resources then click Services to display the list of services and scheduled tasks.
- Click Add Service.
Alternatively, you can select a system to displays its details, then click Services to add a system-specific service.
Click Select to browse for or change the target system where the service runs.
Type an optional description for the service.
Select Windows Service, Windows Scheduled Task, or IIS Application Pool as the service type.
Type the service name, application pool name, or the full path to the scheduled task. For example, the service name for the Virtual Disk service is vds.
Select Enable management of this application password if you want the password for the service account to be managed by the Privileged Access Service.
This setting requires you to specify an Administrative account in Step 8 and a multiplexed account in Step 9. If you have not yet prepared a multiplexed account, see Adding multiplexed accounts before selecting Enable management of this application password for a new service.
Type a search string to locate an appropriate domain account that is stored in the Privileged Access Service and has the sufficient permissions to modify the service account password.
Select the account in the list of results, then click Add.
The administrative account is the account that rotates the service account password if you enable automatic password management.
The multiplexed account must meet the following criteria:
- Its sub-accounts must be domain accounts with passwords stored and managed by the Privileged Access Service.
- Its sub-accounts must have sufficient permissions to run the Windows service or scheduled task.
- The domain where the sub-accounts are used must have periodic password rotation enabled and a duration set at the domain or global security settings level.
You should not use Active Directory Managed Service Accounts or Group Managed Service Accounts as multiplexed accounts.
You can configure multiplexed accounts for services after running discovery jobs or before or after adding a service manually. You must create multiplexed accounts before you can enable automatic password rotation.
Click Save to save the service settings.
If changing the account password for a service requires restarting the service, you can have automatically restarted without any time constraints or only on certain days of the week and certain hours of the day. For more information about enforcing time restrictions, see Setting restart time constraints.