Introduction
If the Quickpass agent is offline at the time the JIT account is set to expire, we cannot communicate with the Active Directory domain or local system to take the actions of disabling the JIT account, removing privileged groups, and rotating the password.
In this case, the JIT account will still expire and be unavailable for use when the account expiry timestamp value assigned to the source account elapses - this will vary depending on the duration time selected when creating the JIT account.
Identify Account Expiry Time
To confirm the account expiry time for the JIT account:
1. Navigate to the source directory - either local machine, or domain controller
2. Open Command Prompt as Admin
3. Run the following command: (Note: example pictured below for proper syntax reference)
net user <insert JIT username>
4. The results returned will show a timestamp value for Account expires (Note: example use case pictured below, highlighting username and account expiry time)
5. The timestamp value for Account expires is when the JIT account will expire and be unusable. At the time of expiry, any active session using the JIT account will be kicked to the login screen.
6. If the JIT account is required for further administrative tasks, the offline Quickpass agent should be resolved first, then the JIT account may be re-enabled from the QP Admin Dashboard or via the QTech mobile app/Passwordless MFA technician sign-in tile.
Other Articles
- How to create and use Just-In-Time Privileged accounts (Azure AD)
- How to create and use Just-In-Time Privileged accounts (LOCAL)
- Answering Just-In-Time FAQ – CyberQP (getquickpass.com)
Comments
0 comments
Please sign in to leave a comment.