- Applies only to Active Directory and Local Accounts
- Install the Quickpass agent on the systems that have accounts you wish to rotate passwords for. https://support.getquickpass.com/hc/en-us/articles/360035206994-How-to-install-the-Server-Agent-Manual-and-Silent
|Ensure you have followed the IT Glue Integration Setup Guide
Ensure you have followed the Hudu Integration Setup Guide (if you use Hudu)
Ensure you have completed all steps to match Accounts to IT Glue
Ensure you have completed all steps to match Accounts to Hudu
- You have accounts that you use for Windows Services and/or Scheduled tasks that you wish to schedule a password rotation.
Set Auto Rotation Default Settings
1. Click the Rotate Settings - Service button in the lower left hand corner while in the Service Accounts screen.
Rotate Settings for Administrator Accounts is separate from the Rotate Settings for Service Accounts. You can now adjust the settings for BOTH types of accounts from either the Administrator Accounts or Service Accounts screen.
2. Select the customer's Time Zone, Time, default number of Days between rotations and Password Type (random complex passwords up to 99 characters or random passphrases) for the scheduled password rotation. Then click Save.
- Random complex password: This is the default option for password rotation and allows you to choose a password length between 8 and 99 characters. If the Active Directory password policy is greater than 8 characters then the slider/character count will start at the minimum password length and you will only be allowed to select a length as low as the password policy minimum. Type the number of characters you want to use, or use the slider to select the Random Complex Character Password length.
- Random Passphrases: This is a more secure option which creates passwords that are roughly 30 characters in length using actual words that are easy to read and type. This option will satisfy complexity requirements from both Active Directory and Azure Active Directory / Office 365.
To Enable this option select either Four Long Words or Five Short Words from the appropriate radio button.
Four long word passphrase example
Five short word passphrase example
Caution: Some versions of Windows Server Essentials include a built in utility to sync Active Directory passwords with Office 365 / Azure. This utility enforces a maximum password length of 16 characters and therefore passphrases will not work in these cases. Similarly, if you are using an older version of AD Connect from prior to May 2019 when they increased the password length in Azure Active Directory to 256 characters you will experience the same issue. Be sure to test that the Active Directory server supports passwords greater than 16 characters prior to enabling this option.
Enable Auto Rotation
1. In the Service Accounts screen click the Auto Rotate toggle switch beside the Service Account you wish to setup scheduled password rotation for.
The Frequency column will populate with the default number of days from the Auto Rotate Settings and the date of the next scheduled password rotation will show in the Next Column. The Last column at this time will be blank until the first scheduled password rotation takes place.
The time window for the scheduled password rotation will be taken from the Auto Rotate settings previously setup.
Alternatively you also have the option to Enable Auto Rotate for all accounts at once. To do this select either use the select all check box or individually select all the Admin user accounts you wish to enable auto rotation for.
Once Complete, all the service accounts you selected to be enabled for auto password rotation have been activated.
- After a password is rotated, Quickpass will search each Domain Controller or Member Server with a Quickpass agent for a Windows Service or Scheduled Task that is using the Service account just rotated. Quickpass will then update the Windows Service and/or Scheduled Task password and restart the Windows Service within 60 seconds after the rotation as long as the Restart toggle switch is set to On.
- The delay for restarting the Windows Service is in place to ensure that the password has had time to replicate to all Active Directory domain controllers.
- Caution: Password rotation of service accounts will fail if any of the AD Server or Member Server agents are offline. This is to ensure Quickpass does not rotate a password for a Windows Service or Scheduled task account that is being used on the offline server.
- Quickpass will also automatically update the password entry in IT Glue or Hudu. Quickpass resets passwords to a new randomly generated password or passphrase using the options selected in the Auto Rotate settings for the customer.
- IT Glue or Hudu will show the audit/revision history of all Password changes including the date, time and by who as well as being able to see the previous passwords which you can refer back to as needed.
- The Quickpass Events event viewer on the Windows Server where service accounts are rotated will log the following events.
Received UpdateServiceAccounts command
Windows Service - <Name of Service> - password update: Success
Scheduled Task - <Name of Scheduled Task> - password update: Success
UpdateServiceAccounts processed successfully
Windows Service - <Name of Service> - restart: Success (Within 60 seconds after password rotation)
- Scheduled Password Rotation Retry - https://support.getquickpass.com/hc/en-us/articles/9907473165975-Password-Rotation-Retry
Please sign in to leave a comment.