Setting domain administrative accounts

You can store Active Directory domain administrative accounts in the Privileged Access Service to:

  • Enable zone role workflow

    You can use the domain administrative account to configure a workflow that allows users to request role access to systems. For more information, see Managing zone role assignment requests.

  • Unlock a locked managed domain account or local accounts on domain-joined Windows systems

    You can use the domain administrative account to configure Privileged Access Service to manually unlock managed domain accounts and local accounts on domain-joined Windows systems (see Enable manual account unlock using administrative account). The appropriate policies for the domain and the Windows system must also be configured to unlock accounts.

  • Manage domain accounts or local accounts on domain-joined Windows systems

    You can use the domain administrative account to ensure that Privileged Access Service can always successfully manage the passwords for domain accounts and local accounts on domain-joined Windows systems, regardless of whether the account password is out of sync. Note that the Administrative account cannot change it's own password if the minimum password age is not met. For more information, see Enable automatic account maintenance using the administrative account.

The stored accounts can be any user or service account that has domain or enterprise administrator permissions.

The following requirements must be met before you can store domain administrative accounts on Privileged Access Service:

  • Your tenant must have a live connector configured.
  • You must know the password of the account you are storing as a domain administrative account.
  • Edit and Add Account permissions must be configured for the selected domain.
  • Account has the proper delegation controls configured or is part of the Domain Admins group. See To configure delegation control in the domain controller for the administrative account .
  • If the domain administrative account is used to manage local accounts on domain-joined Windows systems, it must be a member of the Administrators group on the system. By default, the AD Domain Admins group is a member of the local Administrators group.

The Privileged Access Service cannot reconcile domain administrative account passwords that may be locked or out of sync. If the domain administrative account encounters an issue, operations using the domain administrative account will fail and an error message is displayed when you browse to the Resources portion of the Admin Portal. To troubleshoot the issue, see Troubleshooting domain administrative accounts.

To set domain administrative accounts:

  1. In the Admin Portal, click Resources, then click Domains to display the list of domains.

    Discovered domains, synced domains (with an active connector) and manually added domains are displayed.

  2. Select the domain or multiple domains that contain the account you want stored from the domain list.

    Selecting one or more domains activates the Actions menu.

  3. Click the Actions menu, then click Set Administrative Account.

    The selected domain and the administrative account can be from different domains within the same forest.

  4. Select the source of the account (Privilege Service or Active Directory).

    If you are setting up an administrative account for a manually added domain or a domain that was discovered, you can only choose from Privilege Service Accounts. The Discovered column in the Domains tab displays the following values:

    Discovered Column Value

    Add Domain
    Method

    Administrative
    Account Source

    Auto

    Domain automatically synced

    Privilege Service or Active Directory

    Time stamp

    Domain discovery

    Privilege Service

    Blank

    Domain manually added

    Privilege Service

  5. Click Select next to the Account text box to select the relevant account.

  6. Start typing the account name into the search box.

    Domain accounts that you have Grant rights to are displayed.

  7. Select the account you want to store.

  8. Click Add and then click Save.

    The relevant account is displayed in the Administrative Account column.

Note:   You can alternatively set up an administrative account for a domain in the Domains > Advanced page. Click Resources > Domains > Advanced and then click Select next to the Administrative Account text box.

To clear domain administrative accounts:

  1. In the Admin Portal, click Resources, then click Domains to display the list of domains.
  2. Select the domain that contains the account you want to remove as an administrative account for the domain.
  3. Click the Actions menu, then click Clear Administrative Account.

    The Actions drop-down list becomes available after you select a domain.

Note:   You can alternatively clear an administrative account for a domain in the Domain Advanced page. Click Resources > Domains > Domain Name > Advanced and then click Clear next to the Administrative Account text box. You can also select Clear Administrative Account from the Actions menu on the Domain Advanced page.