On the Admin Portal> Domains > Advanced page, you can configure Privileged Access Service to manually unlock account passwords for domain accounts and local accounts on domain-joined Windows systems using the domain administrative account. This requires users to have the Unlock Account permission set at the domain level. Under Enable Manual Account Unlock you can enable the following:
Enables users with the proper permissions to use the domain administrative account to manually unlock managed domain account passwords stored in Privileged Access Service.
Enables users with the proper permissions to use the domain administrative account to manually unlock passwords for managed local accounts on domain-joined Windows systems stored in Privileged Access Service. For information on setting up local system account password reconciliation, see Configuring Windows local account password reconciliation. Make sure the corresponding local account setting is also enabled in Systems> Advanced > Local Account Manual Unlock (see Setting system‑specific advanced options).
Before enabling this policy you need to:
- Set up an administrative account for the domain.
For information on configuring an administrative account for a domain, see Setting domain administrative accounts.
- Configure the domain user to have the Unlock Account permission.
For information on configuring the Unlock Account permission, see Assigning permissions.
- Make sure the domain user account is a managed account.
For information on setting up a domain account with a managed password, see Adding Active Directory domain accounts.
Note: If an account that is set as the Privileged Access Service administrative account for the domain is locked, that account cannot be unlocked. An administrative account cannot unlock itself. For instance, if email@example.com is locked, the administrative account assigned to cpubs.net is used to unlock the account. However, if firstname.lastname@example.org is set to be the administrative account, the account cannot be unlocked.