Purpose

The Quickpass Agent on a Domain Controller was originally installed with Local System to run the Quickpass Service and you want to change to Managed Service Account (MSA)

1. "Local System" account may not have sufficient privileges to Read/Write to Active Directory.
2. In order to have increased visibility to Security Audit logs to determine what actions are performed by the Quickpass Agent

Details

This Automate script will only complete on machines that have the Active Directory Domain Services running, and the Quickpass Agent is installed while running as Local System (i.e. Machines already running the Quickpass Agent service as MSA will be skipped).

Checks will be completed at the beginning of the script to rule out and skip machines that are not compliant.

Implementation

1. Download the Change QP Service to RunAs MSA - CW Automate script here, or at the bottom of the page in Attachments.

2. Open Connectwise Control > System > General > Import > XML Expansion > import the downloaded file.

The XML will import as 'Change QP Service to RunAs MSA - CW Automate' to the following location:

• Automation > Scripts > Software > Tools and Utilities

3. Navigate to the desired target machine(s) and click Scripts > Drill down to find the imported script

• Note: If you want to run this script on a schedule, select Schedule Recurrence and schedule as desired

Additional Considerations

1. If the Domain has a Policy that limits Domain Admin Membership ensure that you add the new Managed Service Account to that Policy to ensure the account remains a member of the Group
2. If the Domain has a Policy that limits which accounts are used to Log On as a Service, update that account list to include the new Managed Service Account.
   1. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service.