Automating Password Rotation
In most cases, you only configure the multiplexed account for a service if you want to enable automatic password rotation. Automating password rotation for the account used to run a target service requires the service to have both an administrative account and a multiplexed account defined. The administrative account is the account that rotates the service account password. The multiplexed account is the name used for the two sub-accounts that run an application service or scheduled task.
Because creating the multiplexed account involves adding and testing its sub-accounts, it is typically done some time after you have run a discovery job or have added a service manually.
Before updating a service to enable automated password rotation, you should have completed the following tasks:
- Discovered or added the target service that runs using a specific service account.
- Created and tested the two sub-accounts that will replace the original service account.
- Added the two sub-accounts to the Privileged Access Service with Manage this credential selected.
- Enabled the periodic password rotation policy and set an appropriate interval for the domain with the two sub-accounts or as a global security setting.
- Configured the multiplexed account with the two sub-accounts.
If you have completed these tasks, you are ready to update the service to use a multiplexed account.
To automate password rotation for a service:
- In the Admin Portal, click Resources > Services to display the list of services and scheduled tasks.
- Select a service to view its details.
- Click Select to search for and select the stored domain account that will manage the password for the service, if needed.
- Type an optional description for the service, if needed.
- Select Enable management of this application password.
- Select either Windows Service or Windows Scheduled Task as the service type, if needed.
- Type the application service name or the full path to the scheduled task. For example, the service name for the Virtual Disk service is vds.
- Click Select to search for and select a multiplexed account to run the service.
- Select Restart service when password is rotated if changing the account password requires restarting the service.
- If you select the Restart option, you can also specify time constraints to control when the service is restarted. For example, you might want to only allow a service to be restarted on Sundays between 2:00AM and 3:00AM based on the local time zone.
- Click Save to save the service settings.