Setting system‑specific advanced options
In the Systems > Advanced tab, you can select system-specific options for password security and maintenance and also view the zone status of a system.
The following sections provide information on configuring options in the Systems > Advanced tab:
- Account Reconciliation
- Domain Settings
- Remove local accounts upon session termination - Windows only
- Allow multiple password checkouts for this system
- Enable periodic password rotation
- Enable password rotation after checkin
- Minimum password age (days)
- Password complexity profile
- Enable periodic SSH key rotation
- Minimum SSH Key Age (days)
- SSH Key Generation Algorithm
- Enable periodic password history cleanup
- Enable periodic SSH key cleanup
To configure system-specific advanced settings:
- In the Admin Portal, click Resources, then click Systems to display the list of computers and network devices.
- Select a system to display system-specific details.
- Click Advanced.
- Select settings for any or all of the password security and maintenance options.
- Click Save.
For more information about how to set the system-specific options, click the information icon in the Admin Portal.
Account reconciliation allows you to reset out-of-sync managed local Windows or Unix account passwords stored in Privileged Access Service. Account reconciliation for both Windows and Unix systems can be configured using either a local administrative account or through the Centrify Client for Windows or the Centrify Client for Linux.
To configure account reconciliation , you must enroll your system. If you do not have an enrolled agent, you will see a banner above the Account Reconciliation settings and must proceed to Domain Settings (below) to enable account reconciliation options. For information on enrolling your system, see Enrolling and managing computers with Centrify clients.
As part of the configuration process, you need to enable the following settings:
Local Account Automatic Maintenance
Allows users with the proper permissions to reset out-of-sync local account passwords stored in Privileged Access Service.
Note: For domain-joined Windows systems with account reconciliation configured using a domain administrative account, make sure the corresponding local account setting is also enabled in Domains > Advanced > Administrative Account Settings > Enable Automatic Account Maintenance (see Enable automatic account maintenance using the administrative account).
Local Account Manual Unlock (Windows systems only)
Allows users with the proper permissions to unlock local account passwords stored in Privileged Access Service.
For domain-joined Windows systems with account reconciliation configured using a domain administrative account, make sure the corresponding local account setting is also enabled in Domains > Advanced > Administrative Account Settings > Enable Manual Account Unlock (see Enable manual account unlock using the administrative account).
To enable these operations, make sure you have:
- Windows and Unix: Edit permission for the system.
- Windows via Centrify Connector: Grant and View permission for the domain.
- Windows via Centrify Connector: An administrative account for the domain with the View permission (see Setting domain administrative accounts).
(Windows systems using non-client based Account Reconciliation only) You can use the Verify Configuration button to check that local account password reconciliation is properly configured. Make sure the domain administrator account has the View permission in order to verify the configuration. If the settings are configured correctly, Verification completed successfully. is displayed. If the settings are not configured correctly, an error message is displayed. Update your configuration and try Verify Configuration again.
Configuration procedures differ for the various methods. For detailed information on configuring account password reconciliation for Windows and Unix systems, see:
Local Administrator Account (required for non client-based UNIX configurations)
Configuring the Local Administrator Account field is only required if you are configuring account reconciliation on Unix systems that do not use the Centrify Client for Linux (i.e, this field applies to system configurations that use the Centrify Connector).
If you did not specify a local administrative account when you initially added the Unix system to the Privileged Access Service (Using the wizard to add systems), you can set a local administrative account under Account Reconciliation on the Systems > Advanced page. You need to configure a local administrator account before you can enable local account automatic maintenance. For more information, seeConfiguring UNIX local account reconciliation.
You can specify an administrative account to perform account management tasks and reset out of sync managed local account passwords stored in Privileged Access Service. For additional information, see Specifying a local administrative account.
Under Domain Settings on the Systems > Advanced page, you can view the domain and the domain administrative account if it is configured. Setting these fields is required for Zone Role Workflow (also see Enabling zone role workflow).
For Windows systems: The domain and domain administrative account fields are populated only if the system is domain joined and a domain administrative account is set for the domain; if it is not set these fields are empty. These fields are required for local account password reconciliation (LAPR) configured on Windows systems via the Centrify Connector and for Zone Role Workflow. If the system is already joined to a domain, the domain name is displayed in the text box. You must first add the appropriate domains to the Privileged Access Service in order to join the Windows system to a domain. For information on adding domains to the Privileged Access Service, see Adding a domain.
To select a domain and domain administrative account for a system:
- In the Admin Portal > Resources, then click Systems to display the list of computers and network devices.
- Select a system to display system-specific details.
- Click Advanced and then click Select next to the Domain text box to select the relevant domain.
Start typing the domain name into the search box.
Domains where you have View permissions are displayed.
- Select the domain you want to use.
Click Select and then click Save.
If the domain has a domain administrative account already configured, it is displayed in the Domain Administrative text box. If the domain selected for the system does not have a domain administrative account configured, see Setting domain administrative accounts.
When a user logs in to a system by way of client-based login, the service creates a local Windows account to facilitate that login. You can choose to completely remove that local account when the user's session terminates. For more information about this account, see Enabling client-based login.
Select No if you do not want to completely erase the local account. Keeping this account intact preserves any changes that the user made during their session, such as configurations or settings and also the user's home directory
Select Yes if you want to completely erase the local account that gets created when users log in to a system by way of client-based login (Agent Auth). Erasing this account involves removing the home directory and any personal configurations or settings.
Select No if only one administrator is allowed check out the password for a selected system at any given time. If you select No, the administrator must check the password in and have a new password generated before another administrator can access the system with the updated password.
Select Yes if you want to allow multiple users to have the account password checked out at the same time for a selected system. If you select Yes, multiple administrators can access the system without waiting for the password to be checked in.
Select Yes if you want to rotate managed passwords automatically at the interval you specify. Select No if you want to prevent password rotation for the selected system.
If you select Yes, you should also specify the password rotation interval in days. Type the maximum number of days to allow between automated password changes for managed accounts. You can set this policy to comply with your organization's password expiration policies. For example, your organization might require passwords to be changed every 90 days. You can use this policy to automatically update managed passwords at a maximum of every 90 days. If the policy is not defined (--), passwords are rotated according to the setting in Settings > Resources>Security Settings tab.
Select Yes to allow password rotation after it is checked in. Select No to not allow password rotation after it is checked in.
Specify the minimum number of days that a managed password must have been in use before it can be rotated.
Select an existing password generation profile or add a new profile for the selected system. If you don’t select or add a profile, the default password generation profile for the system type is used. For more information about adding and editing password complexity profiles, see Configuring password profiles.
Select Yes to allow periodic password rotation. Select No to not allow periodic password rotation. Select "--" to use the default setting from the Security Settings in the Settings tab.
Minimum amount of days old an SSH key must be before it is rotated.
Specifies the algorithm to use when generating SSH keys during manual or automatic SSH key rotation.
Select Yes to automatically delete retired passwords from the password history after a given number of days. Select No to prevent the Privileged Access Service from automatically deleting retired passwords from the password history at a set interval.
If you select yes, you can also specify the maximum number of days of password history to keep. For example, if you have a requirement to keep a record of passwords used for three years, you might set the cleanup interval to 1096 days to maintain the password history for that period of time. If you select the default setting, retired passwords are automatically deleted after 365 days. You cannot set a cleanup interval less than 90 days.
Select Yes to allow periodic SSH key cleanup. Select No to not allow periodic SSH key cleanup. Select "--" to use the default setting from the Security Settings in the Settings tab.