One or more Windows servers can use a directory account (such as an Active Directory account) to run hosted services and/or tasks. The Asset Administrator can configure a dependency relationship between the directory account and the Windows servers. Safeguard for Privileged Passwords performs dependent system updates to maintain the passwords for dependent accounts on all the systems that use them. For example, when Safeguard for Privileged Passwords changes the directory account password, it updates the credentials on all the Windows server's dependent accounts so that the services or tasks using this account are not interrupted. Also see KB article 312212.
You can manage tasks and services on a domain controller (DC) asset. For more information, see Using a domain controller (DC) asset.
To configure account dependencies on an asset
-
Directory accounts:
-
You must add directory accounts before you can set up account dependency relationships. For more information, see Adding an account.
-
From the directory account, select the Available for use across all partitions option so it can be used outside its domain partition. For more information, see Adding an account.
-
-
Assets: You must add the target directory account as a dependent account for the asset. The service account can be a domain account (to look up domain information) or a local account if the asset is a Windows Server platform. If the asset is a Windows SSH platform, then to update dependent accounts, the service account must be a domain account.
IMPORTANT: For Windows SSH assets, a local account does not have the access necessary to discover services running as domain accounts. So if a local account is used, Safeguard for Privileged Passwords will only discover services running as local accounts, and domain account dependencies will not be updated.
Follow these steps:
-
Navigate to web client: Asset Management > Assets.
-
Select the asset (such as a Windows Server instance) from the object list and open the Account Dependencies tab.
-
Click (New Account) from the details toolbar and select one or more directory accounts. Safeguard for Privileged Passwords only allows you to select directory accounts.
-
-
Profiles:
-
The target directory account must be in the same profile as the dependent asset.
-
You must configure the dependent asset's profile in the Change Password tab to perform the required updates on the asset. For example, select the Update Service on Password Change check box and so on. For more information, see Creating a password profile.
-