Description of Issue
There are some reasons why password rotation may fail. This document will outline the most common issues with password rotation and how you can solve them.
1. IT Glue: API Key Password Access checkbox is not enabled.
2. IT Glue: The IT Glue password entry associated for an account was deleted in IT Glue.
3. Service Account Rotation - Agent(s) are offline: If any deployed agent for a Quickpass customer is offline Service account rotation will not run.
4. Active Directory: User cannot change password option is enabled.
5. Third-party password filter installed: If you have another tool installed in Active Directory that is used to detect when password changes occur or when passwords expire other than Microsoft AD Connect.
6. Quickpass Windows Service: You have switched from the Local System account to another account that does not have permission to write to Active Directory.
7. Quickpass Windows Service: The windows service is not running.
8. AD Password Policy: The minimum number of characters for the AD default domain password policy has been changed and it is now greater than the number of characters set for the Quickpass customer in Auto Rotate Settings.
9. Windows Server Essentials and Legacy AD Connect Agent: Windows Server Essentials 2012, 2012 R2 and 2016 has a built in utility to sync Active Directory passwords to Office 365 that enforces a 16 character limit on Active Directory passwords. Also, AD Connect agent versions prior to May 2019 did the same until Microsoft increased the limit to 256 characters.
If you are using Passphrase option in Auto Rotate Settings passwords will be longer than 16 characters.
10. Office 365: The Quickpass application has not been added to the Privileged Authentication Administrator group for the Office 365 tenant in Azure Active Directory.
11. LAPS: If a system is currently or was previously managed by LAPS, the following failure message may occur: "Error: The account is controlled by external policy and cannot be modified".
1. IT Glue: Make sure the API Key Password Access checkbox is enabled.
2. IT Glue: Re-create the password entry in IT Glue and re-connect it to the Quickpass administrator or service account.
3. Service Account Rotation - Agent(s) are offline: Make sure all agents are online before rotating the service account again. Look at the Agents menu to check if they are online and investigate any offline agent on the Windows server if necessary.
4. Active Directory: Un-check the User cannot change password option
5. Third-party password filter installed: Uninstall the third party password filter application. Microsoft AD Connect is supported. If unsure please email support at firstname.lastname@example.org and send a screen shot of the registry entry below.
6. Quickpass Windows Service: Ensure the Local System Account is set for Log on as.
7. Quickpass Windows Service: Ensure the windows service is running. If you try to start the service and it fails to start or crashes please open a support ticket at email@example.com.
8. AD Password Policy: If you happen to change the default domain AD password policy password length check the Auto Rotate Settings for that customer and ensure the password length is at least the same number of characters or greater.
9. Windows Server Essentials and Legacy AD Connect Agent: Switch from passphrases to set character limit complex passwords in Auto Rotate Settings. Then run try the password rotation again after.
10. Office 365: Add the Quickpass application to the Privileged Authentication Administrator group in Azure Active Directory for the Office 365 tenant.
In the azure portal go to Azure Active Directory, Click on Roles and administrators. Type in Privileged Authentication Administrator in the Search box. Click on Privileged Authentication Administrator under Role.
In the Privileged Authentication Administrator - Assignments window click Add Assignments button.
Type "Quickpass" in the Select box then select the Quickpass enterprise application entry and click the Add button.
You can now start to on-board Office 365 / Azure users in Quickpass. Password reset functionality must wait until propagation of these permissions have taken affect in Office 365 / Azure. This may take up to 15 mins to complete.
11. LAPS: Check the settings of whatever system that manages LAPS (Intune, Azure, etc.) and verify that the machine receiving the rotation error is not being managed by LAPS.
In some cases, there may be a leftover registry key on the previously managed machine after disabling LAPS. Check the following registry key on the system receiving the failure. If this key is set to Enabled, toggle it to Disabled, restart the machine, and then re-attempt a password rotation.
Registry Key: Computer Configuration/Administrative Templates/LAPS/Enable local admin password management
Password Retry Mechanism - https://support.getquickpass.com/hc/en-us/articles/9907473165975-Password-Rotation-Retry