[title]: (Domain Admin Acts) [tags]: # (pas,domain,admin accounts) [priority]: # (1000)

Setting Domain Admin Accounts

You can store Active Directory domain administrative accounts in the Privileged Access Service to:

  • Enable zone role workflow

    You can use the domain administrative account to configure a workflow that allows users to request role access to systems. For more information, see Managing zone role assignment requests.

  • Unlock a locked managed domain account or local accounts on domain-joined Windows systems

    You can use the domain administrative account to configure Privileged Access Service to manually unlock managed domain accounts and local accounts on domain-joined Windows systems (see "Enable manual account unlock using the administrative account." The appropriate policies for the domain and the Windows system must also be configured to unlock accounts.

  • Manage domain accounts or local accounts on domain-joined Windows systems

    You can use the domain administrative account to ensure that Privileged Access Service can always successfully manage the passwords for domain accounts and local accounts on domain-joined Windows systems, regardless of whether the account password is out of sync. Note that the Administrative account cannot change it's own password if the minimum password age is not met. For more information, see "Enable automatic account maintenance using the administrative account."

You can also set multiple administrative accounts within the same domain, to address different sets of accounts.

The stored accounts can be any user or service account that has domain or enterprise administrator permissions.

The following requirements must be met before you can store domain administrative accounts on Privileged Access Service:

  • Your tenant must have a live connector configured.
  • You must know the password of the account you are storing as a domain administrative account.
  • Edit and Add Account permissions must be configured for the selected domain.
  • Account has the proper delegation controls configured or is part of the Domain Admins group. See "To configure delegation control in the domain controller for the administrative account ."
  • If the domain administrative account is used to manage local accounts on domain-joined Windows systems, it must be a member of the Administrators group on the system. By default, the AD Domain Admins group is a member of the local Administrators group.

The Privileged Access Service cannot reconcile domain administrative account passwords that may be locked or out of sync. If the domain administrative account encounters an issue, operations using the domain administrative account will fail and an error message is displayed when you browse to the ***Resources*** portion of the Admin Portal. To troubleshoot the issue, see "Troubleshooting domain administrative accounts."

To set domain administrative accounts:

  1. In the Admin Portal, click Resources, then click Domains to display the list of domains.

    Discovered domains, synced domains (with an active connector) and manually added domains are displayed.

  2. Select the domain or multiple domains that contain the account you want stored from the domain list.

    Selecting one or more domains activates the Actions menu.

  3. Click the Actions menu, then click Set Administrative Account.

    img

    The selected domain and the administrative account can be from different domains within the same forest.

  4. Select the source of the account (Privilege Service or Active Directory).

    If you are setting up an administrative account for a manually added domain or a domain that was discovered, you can only choose from Privilege Service Accounts. The Discovered column in the Domains tab displays the following values:

    Discovered Column Value Add Domain Method Administrative Account Source
    Auto Domain automatically synced Privilege Service or Active Directory
    Time stamp Domain discovery Privilege Service
    Blank Domain manually added Privilege Service

  5. Click Select next to the Account text box to select the relevant account.

  6. Start typing the account name into the search box.

    Domain accounts that you have Grant rights to are displayed.

  7. Select the account you want to store.

  8. Click Add and then click Save.

    The relevant account is displayed in the Administrative Account column.

You can alternatively set up an administrative account for a domain in the Domains > Advanced page. Click Resources > Domains > Advanced and then click Select next to the Administrative Account text box.

To clear domain administrative accounts:

  1. In the Admin Portal, click Resources, then click Domains to display the list of domains.
  2. Select the domain that contains the account you want to remove as an administrative account for the domain.
  3. Click the Actions menu, then click Clear Administrative Account. The Actions drop-down list becomes available after you select a domain.
You can alternatively clear an administrative account for a domain in the Domain Advanced page. Click Resources > Domains > Domain Name > Advanced and then click Clear next to the Administrative Account text box. You can also select Clear Administrative Account from the Actions menu on the Domain Advanced page.

To set multiple administrative accounts within the same domain:

  1. In the Admin Portal, click Access > Policies > Add Policy Set.
  2. On the Policy Settings page:

    1. Under Policy Assignment, select theSets option.
    2. Ensure the Set Type is set to Account.
    3. Under the Sets dropdown, select Domain Accounts.
  3. On the Resources > Accounts page, scroll down to Account Reconciliation Settings > Domain Administrative Account.
  4. Click the Set button and use the Select button open the search window
  5. Use the search field to find the administrative account you want to add and click Select.
  6. Click Select to set the Domain Administrative Account.
You can use Policy Settings to set a specific domain administrative account to specific domain account.