Automating Password Rotation

In most cases, you only configure the multiplexed account for a service if you want to enable automatic password rotation. Automating password rotation for the account used to run a target service requires the service to have both an administrative account and a multiplexed account defined. The administrative account is the account that rotates the service account password. The multiplexed account is the name used for the two sub-accounts that run an application service or scheduled task.

Because creating the multiplexed account involves adding and testing its sub-accounts, it is typically done some time after you have run a discovery job or have added a service manually.

Before updating a service to enable automated password rotation, you should have completed the following tasks:

  • Discovered or added the target service that runs using a specific service account.
  • Created and tested the two sub-accounts that will replace the original service account.
  • Added the two sub-accounts to the Privileged Access Service with Manage this credential selected.
  • Enabled the periodic password rotation policy and set an appropriate interval for the domain with the two sub-accounts or as a global security setting.
  • Configured the multiplexed account with the two sub-accounts.

If you have completed these tasks, you are ready to update the service to use a multiplexed account.

To automate password rotation for a service:

  1. In the Admin Portal, click Resources > Services to display the list of services and scheduled tasks.
  2. Select a service to view its details.
  3. Click Select to search for and select the stored domain account that will manage the password for the service, if needed.
  4. Type an optional description for the service, if needed.
  5. Select Enable management of this application password.
  6. Select either Windows Service or Windows Scheduled Task as the service type, if needed.
  7. Type the application service name or the full path to the scheduled task. For example, the service name for the Virtual Disk service is vds.
  8. Click Select to search for and select a multiplexed account to run the service.
  9. Select Restart service when password is rotated if changing the account password requires restarting the service.
  10. If you select the Restart option, you can also specify time constraints to control when the service is restarted. For example, you might want to only allow a service to be restarted on Sundays between 2:00AM and 3:00AM based on the local time zone.
  11. Click Save to save the service settings.