Understanding unhealthy account status
There may be many reasons a password might fail to update on machines stored in CentrifyPrivileged Access Service. Below is an SQL query that you run on PAS to produce a report with systems and accounts that are failing password rotation.
To run the report
- Navigate to the Centrify PAS > Reports > New Report.
- Build a new report using the editor.
- Paste the SQL query, AccountsNotRotating.sql, into the editor.

SELECT
Server.FQDN AS SystemFQDN,
Server.Name AS ServerName,
Server.HealthStatus AS SystemHealthStatus,
Server.LastHealthCheck AS SystemLastHealthCheck,
Server.HealthStatusError AS SystemHealthStatusError,
VaultAccount.LastChange AS AccountLastChange,
VaultAccount.LastHealthCheck AS AccountLastHealthCheck,
VaultAccount.Healthy AS AccountHealthy,
VaultAccount.HealthError AS AccountHealthError,
VaultAccount.NeedsPasswordReset AS AccountNeedsPasswordReset,
VaultAccount.PasswordResetRetryCount,
VaultAccount.PasswordResetLastError,
Server.ID AS SystemID,
VaultAccount.ID AS AccountID,
VaultAccount.User AS AccountUser,
Server.ComputerClass AS SystemComputerClass,
Server.ManagementMode AS SystemManagementMode,
Server.OperatingSystem AS SystemOperatingSystem,
Server.DomainName AS SystemDomainName,
Server.DiscoveredTime AS SystemDiscoveredTime
FROM VaultAccount
JOIN Server ON Server.ID = VaultAccount.Host
WHERE VaultAccount.IsManaged = 1
AND ( VaultAccount.LastChange <= datefunc('now', -2) OR VaultAccount.LastChange IS NULL )
ORDER BY VaultAccount.LastChange
- Save and Run the report.
- From the Actions in the report results, export the report. The report can be saved as an Excel or CSV file.
Interpreting the report results
The status of a machine and its accounts are determined by opening the report in Microsoft Excel and reviewing the report column headers in row one. The columns that are considered are:
- SystemHealthStatus (C)
- AccountHealthError (I)
- PasswordResetRetryCount (K)
- PasswordResetLastError (L)
- SystemManagementMode (Q)
- SystemComputerClass (P)
- AccountNeedsPasswordReset (J)
Report columns and values | Result status | Follow up actions |
---|---|---|
SystemHealthStatus is Unreachable. | System Unreachable |
|
|
Password Needs Updating |
The password in not being rotated because the current password is unknown.
|
|
RPC Dynamic Ports Blocked |
The machine has an open port that permits the account to be validated OK, but does not have the RPC dynamics ports open which are needed to rotate the password. The RPC dynamic ports are 49152 - 65535.
|
|
SAM Remote Access Restriction |
On newer versions of Windows, access to the Windows authentication database is restricted and prevents password rotation.
|
|
Unix System Offline for Too Long | The machine has been offline for a long time, but the system and accounts are OK. Manually rotate the password. The password should rotate automatically going forward. |
|
Needs More Investigation - No Attempt to Rotate Password |
This machine needs more investigation.
|
|
Needs More Investigation - SMB |
This machine needs more investigation.
|
|
Needs More Investigation - AccountRestrictionsPreventSignin |
There is some restriction on the target machine preventing password rotation.
|
|
Password Needs Updating and RPC Dynamic Ports Blocked |
This machine's account needs both a password update and unblocking of the RPC dynamic ports.
|
|
Password Policy |
The system has a password policy that is more restrictive than the passwords generated by Centrify PAS. Check the password policy for local accounts. |