Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - Technical Insight Guide

Introduction Data Governance Edition Network Communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management
About us

Service account management

Data Governance Edition consolidates security information across many domains and forests by accessing these network entities using stored credentials (service accounts). These service accounts are Active Directory users granted the appropriate permissions in their respective domains and registered with Data Governance Edition.

The following commands are available to you to manage service accounts. For full parameter details and examples, click a command hyperlink in the table or see the command help, using the Get-Help command.

Table 119: Service account management commands

Use this command

If you want to

Add-QServiceAccount

Register an account as a service account for Data Governance Edition. When you add this service account, it is automatically granted the required Log On as a Service local user right on the Data Governance server.

For more information, see Add-QServiceAccount.

Get-QLogonServiceAccount

Determine if the account can be used as a service account.

For more information, see Get-QLogonServiceAccount.

Get-QServiceAccounts

View a list of service accounts that have been created for the Data Governance server.

NOTE: You can optionally specify a service account id if you are only interested in a particular service account.

For more information, see Get-QServiceAccounts.

Remove-QServiceAccount

Remove a service account from the deployment.

NOTE: Remove any associated managed domains BEFORE removing a service account.

For more information, see Remove-QServiceAccount.

Set-QServiceAccountUpdated

Have the Data Governance server update a service account.

For more information, see Set-QServiceAccountUpdated.

Add-QServiceAccount

Registers an account as a service account for Data Governance Edition. When you add this service account, it is automatically granted the required Log On as a Service local user rights on the Data Governance server.

Data Governance Edition consolidates security information across many domains and forests by accessing these network entities using stored credentials (Service Accounts). These Service Accounts are Active Directory users granted the appropriate permissions in their respective domains and registered with Data Governance Edition.

The Service Account performs actions that a local service cannot. For example, a remote agent needs a Service Account to access the files on the managed host it is scanning.

Note: Service Accounts must have administrative privileges in the domains they are registered with. This allows the Data Governance server to elevate its identity to these accounts and perform actions such as agent deployments and Active Directory queries.

Syntax:

Add-QServiceAccount [-AccountDomain] <String> [-AccountName] <String> [-Password] <String> [[-IsDefaultObjectResolution] [<Boolean>]] [<CommonParameters>]

Table 120: Parameters
Parameter Description
AccountDomain

Specify the pre-Windows 2000 name of the account domain.

AccountName

Specify the logon name (pre-Windows 2000 name) of the account.

Password Specify the password associated with the account.
IsDefaultObjectResolution

(Optional) Specify this parameter to indicate whether the account being registered is to be used as the Data Governance default account. This account will be used to connect to Active Directories which do not have explicit service accounts configured.

Valid values are:

  • 0 or $false: The account is not used as the Data Governance default account (default).
  • 1 or $true: The account is used as the Data Governance default account.
Examples:
Table 121: Examples
Example Description
Add-QServiceAccount -AccountDomain "qamauto" -AccountName "administrator" -Password 'Pa$$word'

Adds a service account for the domain "qamauto", with the user name of "administrator" and a password of 'Pa$$word'.

NOTE: Single quotes are used around the password text because it contains $ characters.

Get-QLogonServiceAccount

Determines if the specified account meets the requirements to be used as a service account in Data Governance Edition.

Note: Data Governance Edition consolidates security information across many domains and forests by accessing these network entities using stored credentials (service accounts). These service accounts are Active Directory users granted the appropriate permissions in their respective domains and registered with Data Governance Edition.

Syntax:

Get-QLogonServiceAccount [-UserName] <String> [-Password] <String> [-DomainId] <String> [<CommonParameters>]

Table 122: Parameters
Parameter Description
UserName

Specify the name of the Active Directory account to be checked.

Password Specify the password associated with the account.
DomainName Specify the name of the domain to be checked to determine if the specified account meets the requirements of a service account.
Examples:
Table 123: Examples
Example Description
Get-QLogonServiceAccount -UserName Administrator -Password myppassword -DomainName mydomain.dge.dev.phx.com Checks the specified account to determine if it meets the requirements to be used as a service account in Data Governance Edition.

Get-QServiceAccounts

Retrieves a list of service accounts registered with the Data Governance server.

Syntax:

Get-QServiceAccounts [-ServiceAccountId] [<String>]] [<CommonParameters>]

Table 124: Parameters
Parameter Description
ServiceAccountId

(Optional) Specify the ID (GUID format) of the service account to be retrieved.

NOTE: Run the Get-QManagedDomains cmdlet to retrieve a list of managed domains, including the managed domain and service account IDs.
Examples:
Table 125: Examples
Example Description
Get-QServiceAccounts

Retrieves a list of all registered service accounts.

Get-QServiceAccounts -ServiceAccountId 3253af66-c104-4472-b770-c8097b2df6d8 Retrieves information about the specified service account.
Details retrieved:
Table 126: Details retrieved
Detail Description (Associated key or property in QAMServiceAccount table)
ServiceAccountId The value (GUID) assigned to the service account (UID_QAMServiceAccount).
AccountSid The security identifier (SID) assigned to the Active Directory account.
UserDomainName The name of the domain to which the user belongs.
UserName Logon name (pre-Windows 2000) of the Active Directory account (UID_ADSAccount).
UserPrincipalName User principal name (email address) of the service account.
Description The descriptive text entered when the service account was registered with Data Governance Edition.
IsDefaultObjectResolution Indicates whether the account is being used as the Data Governance default account and will be used to connect to Active Directories which do not have explicit service accounts configured.
StatusDetailMessage If applicable, a message about the current state of the data from the agent.
Status The status of the agent.
CanManageDomains

Indicates whether the service account is capable of being impersonated on the Management Server it is being called upon.

NOTE: This is set within the ServiceAccounts InternalService on the Data Governance server. It will be true if impersonation is successful; and false, if impersonation fails.
ServiceAccountName The name of the service account.
Related Documents