Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Service account has insufficient privileges

If you are having service account issues, consider the following:

  • Is the service account properly authorized to access the system? In a common setup, sudo is used to elevate the service account's privileges on the system.
  • Has the service account been locked out or disabled?
  • Is the service account configured to allow remote logon?

A service account needs sufficient permissions to edit the passwords of other accounts. For more information, see About service accounts.

To resolve incorrect or insufficient service account privileges

  1. Verify that the service account has sufficient permissions on the asset.
  2. Perform Test Connection to verify connection.
  3. Attempt to manually check, change, and set password again on the account that failed.

If the asset is running a Windows operating system, a local account password check, change, or set can fail when you are using an asset that is configured with a service account with Administrative privileges, other than the built-in Administrator.

Before Safeguard for Privileged Passwords can change local account passwords on Windows systems, using a service account that is a non-built-in administrator, you must change the local security policy to disable the "Run all administrators in Admin Approval Mode" option. For more information, see Change password fails.

Cannot connect to remote machine through SSH or RDP

If you are unable to connect to a remote machine either through SSH or RDP, log into the Safeguard for Privileged Passwords desktop client as an Appliance Administrator and check the following:

  • Check the Activity Center and logs for additional information.
  • Ensure that the Network Interface X1 is configured correctly (Administrative Tools | Settings | Appliance | Networking). If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
  • Ensure that you have installed the Privileged Sessions module license. (Administrative Tools | Settings | Appliance | Licensing).

Cannot delete account

Wrong Account name:

As an Asset administrator, if you attempt to delete an account and receive this error, "This entity has access requests which have not yet expired or have to be reviewed. It cannot be deleted now", this could indicate that Safeguard for Privileged Passwords is trying to change the password on an account that does not exist on the asset.

One reason for this error message is that the wrong account name was used when adding the account to Safeguard. So now when someone requests the password for this account, Safeguard displays the password that was manually set. However, when the requester attempts to log into the asset using the "bad" account and password, it will fail. If the access request policy specified Change password after check-in, the above error message appears when the administrator tries to delete the account from Safeguard for Privileged Passwords.

Workaround: To delete the account with the misspelled name, first manually set the password on the account. Once the account password is reset, Safeguard for Privileged Passwords will allow you to delete the account.

Cannot play session message

If you receive a message that says "Cannot play session...The specified executable is not a valid application for this OS platform", you are most likely attempting to run the sessions player on a 32-bit platform, which is not supported.

Related Documents