Step 1: Configure the domain controller Managed System in TPAM.
- Navigation to the Systems Management page for the DC Managed System and click the Details tab.
- On the Information tab, ensure that "Enable Password Management" is checked.
- On the Connection tab, specify the Functional Account credentials.
You can use the Delegation of Control wizard in AD to assign the following minimum permissions:
- Object type: User Objects
- Reset Password
- Read and write account restrictions
- Read lockout time
- Write lockout time
Step 2: Configure the Managed Account for the Windows Services and Tasks.
- Create a Managed Account under the DC Managed System for the AD user specified on the Windows Services and Tasks.
- Click the Details tab and ensure it is set to "Automatic" Password Management.
The following check boxes should NOT be checked, unless there are services and tasks that need to be managed locally on the Domain Controller itself (requires additional permission).
- Change password for Windows Services started by this account?
- Automatically restart such Services?
- Use this account's current password to change the password?
The options apply only to the local system for which the managed account belongs. If you wish to managed services and tasks on other systems, click the Dependents tab.
- On the Dependents tab, specify your filter options or leave as default and click the "Results" tab.
- Set the "Dependent Status" to Dependent on any "Windows" systems for which you would like the Windows Services and Tasks to be updated.
Step 3: Permissions required for the Managed System(s) where the Windows Services and Tasks are running.
A Managed System must exist in TPAM for each system where you have Windows Services and/or Scheduled Tasks for which the credentials need to be updated.
- Ensure that Password Management is enabled on each of these systems in TPAM, so that Functional Account credentials can be specified on the Connection tab.
The Functional Account must have the following local permissions on system(s) running the Services and Tasks.
- Member of the local Administrators group OR
- Members of the local Backup Operators group
- Add to the "Log on as a batch job" local policy.
This system must then be set as a Dependent on the AD Account as specified in Step 2.
Step 4: Verifying the configuration
- Go to the Managed Account used for the Windows Services and Scheduled Tasks mentioned in Step 2.
- Perform a forced reset by clicking the Reset Password button.
If everything is configured properly and the correct permissions are assigned, the password will be reset and any Dependent systems will also be updated.
If you receive any errors about password reset failures or access denied, you will need to verify the permissions assigned above.
Also ensure that the configuration of the TPAM 'Windows Active Dir" platform "Domain Name" value matches exactly how the service account is configured on the managed system (for example; if the "Windows Active Dir" platform is configured to be as FQDN such as "example.local" but the service configuration is using the domain name which is different this will not work correctly). The Domain name should be configured correctly so these values match.