Prerequisites

Applies only to Active Directory and Local Accounts
Install the Quickpass agent on the systems that have accounts you wish to rotate passwords for. https://support.getquickpass.com/hc/en-us/articles/360035206994-How-to-install-the-Server-Agent-Manual-and-Silent

IT Glue

Hudu

Ensure you have followed the IT Glue Integration Setup Guide
https://support.getquickpass.com/hc/en-us/articles/1500009501742-IT-Glue-Integration-Setup-Guide-New

Ensure you have followed the Hudu Integration Setup Guide (if you use Hudu)
https://support.getquickpass.com/hc/en-us/articles/4408662234519-Hudu-Integration-Setup-Guide

Ensure you have completed all steps to match Customers to IT Glue

https://support.getquickpass.com/hc/en-us/articles/1500009501742-IT-Glue-Integration-Setup-Guide#ITGOpt2

Important - IT Glue Password Vault: Passwords from IT Glue that are added to the IT Glue host proof Vault are not supported. In this case neither IT Glue or Quickpass will have the ability to read and/or update the password for any matched accounts.
Important - IT Glue Password Security set to "Only Me": Passwords in IT Glue that have visibility security set to "Only Me" are not supported as this setting will move the password entry to the "Personal" password entries list.

Ensure you have completed all steps to match Customers to Hudu

https://support.getquickpass.com/hc/en-us/articles/4408662234519-Hudu-Integration-Setup-Guide#HuduOpt2

You have accounts that you use for Windows Services and/or Scheduled tasks that you wish to schedule a password rotation.

Set Auto Rotation Default Settings

1. Click the Service Rotation button in the lower left hand corner while in the Service Accounts screen.

Rotate Settings for Administrator Accounts is separate from the Rotate Settings for Service Accounts. You can now adjust the settings for BOTH types of accounts from either the Administrator Accounts or Service Accounts screen.

2. Select the customer's Time Zone, Time of Day to do the rotation, default number of Days between rotations and Password Type (random complex passwords up to 99 characters or random passphrases) for the scheduled password rotation. Then click Save.

Password Type

- Random complex password: This is the default option for password rotation and allows you to choose a password length between 8 and 99 characters. If the Active Directory password policy is greater than 8 characters then the slider/character count will start at the minimum password length and you will only be allowed to select a length as low as the password policy minimum. Type the number of characters you want to use, or use the slider to select the Random Complex Character Password length.

- Random Passphrases: This is a more secure option which creates passwords that are roughly 30 characters in length using actual words that are easy to read and type. This option will satisfy complexity requirements from both Active Directory and Azure Active Directory / Office 365.

To Enable this option select either Four Long Words or Five Short Words from the appropriate radio button.

Four long word passphrase example

Five short word passphrase example

Caution: Some versions of Windows Server Essentials include a built in utility to sync Active Directory passwords with Office 365 / Azure. This utility enforces a maximum password length of 16 characters and therefore passphrases will not work in these cases. Similarly, if you are using an older version of AD Connect from prior to May 2019 when they increased the password length in Azure Active Directory to 256 characters you will experience the same issue. Be sure to test that the Active Directory server supports passwords greater than 16 characters prior to enabling this option.

How to Import Active Directory and Local Service Accounts

Step 1: Select the desired customer that has the Service Account you want to import

Step 2: Click the Service Accounts icon on the left hand navigation bar

Step 3: Click the Add Accounts dropdown and select Manual

Step 4: Select whether you want Import a Active Directory account or Import a Local Account and click Continue

Import an Active Directory account

Step 1: Select the Organizational Unit which contains the Service Account you want to import

Step 2: Check the box of the Account(s) which you want to import and then click Add

Import a Local Account

Step 1: Repeat steps 1-4 from subheading How to Import Active Directory and Local Service Accounts

Step 2: Select the Agent (Computer) which contains the Service Account you want to import

Step 3: Check the box of the Account(s) which you want to import and then click Add

IT Glue or Hudu Account Matching

IT Glue

Hudu

Ensure you have completed all steps to match Accounts to IT Glue
https://support.getquickpass.com/hc/en-us/articles/1500012161922-IT-Glue-Matching-Administrator-Service-and-End-User-Accounts

Important - IT Glue Password Vault: Passwords from IT Glue that are added to the IT Glue host proof Vault are not supported. In this case neither IT Glue or Quickpass will have the ability to read and/or update the password for any matched accounts.
Important - IT Glue Password Security set to "Only Me": Passwords in IT Glue that have visibility security set to "Only Me" are not supported as this setting will move the password entry to the "Personal" password entries list.

Ensure you have completed all steps to match Accounts to Hudu

https://support.getquickpass.com/hc/en-us/articles/4408663929239-Hudu-Matching-Administrator-Service-and-End-User-Accounts

Enable Auto Rotation

1. In the Service Accounts screen click the Auto Rotate toggle switch beside the Service Account you wish to setup scheduled password rotation for.

The Frequency column will populate with the default number of days from the Auto Rotate Settings and the date of the next scheduled password rotation will show in the Next Column. The Last column at this time will be blank until the first scheduled password rotation takes place.

The time window for the scheduled password rotation will be taken from the Auto Rotate settings previously setup.

Alternatively you also have the option to Enable Auto Rotate for all accounts at once. To do this select either use the select all check box or individually select all the Admin user accounts you wish to enable auto rotation for.

Once Complete, all the service accounts you selected to be enabled for auto password rotation have been activated.

Note

After a password is rotated, Quickpass will search each Domain Controller or Member Server with a Quickpass agent for a Windows Service or Scheduled Task that is using the Service account just rotated. Quickpass will then update the Windows Service and/or Scheduled Task password and restart the Windows Service within 60 seconds after the rotation as long as the Restart toggle switch is set to On.
The delay for restarting the Windows Service is in place to ensure that the password has had time to replicate to all Active Directory domain controllers.
Caution: Password rotation of service accounts will fail if any of the AD Server or Member Server agents are offline. This is to ensure Quickpass does not rotate a password for a Windows Service or Scheduled task account that is being used on the offline server.

Quickpass will also automatically update the password entry in IT Glue or Hudu. Quickpass resets passwords to a new randomly generated password or passphrase using the options selected in the Auto Rotate settings for the customer.

IT Glue or Hudu will show the audit/revision history of all Password changes including the date, time and by who as well as being able to see the previous passwords which you can refer back to as needed.
The Quickpass Events event viewer on the Windows Server where service accounts are rotated will log the following events.