Multiplexed accounts are required to enable automated password rotation for the service accounts that run Windows services or scheduled tasks. The multiplexed account has two sub-accounts that ensure the account password is synchronized to the same password on all of the computers where it is used before the password is rotated. The multiplexed account prevents a service account that runs on multiple target systems from having its password changed on some systems and not on others and causing service failures.
The sub-accounts for the multiplexed account must meet the following criteria:
- Each account must be a domain account with its password stored and managed by the Privileged Access Service.
- Each account must have sufficient permissions to run the target Windows service or scheduled task.
- Each account must have Checkout and Edit permission.
- Each account must have the “Log on as a service” user right assigned in a local or domain policy if used to run an application service or the “Log on as a batch job” user right if used to run a scheduled task.
- The domain where the sub-accounts are used must have periodic password rotation enabled and an interval set at the domain or global security settings level.