Introduction
This Article is designed to give an explanation of how an AD Workstation or Workstation role system's Scheduled Password Rotation will occur in the case it is offline at the scheduled rotation time.
Concept
- An AD Workstation or Workstation Agent is offline at the scheduled time of rotation.
- Because the Agent is offline, the rotation of the accounts that have been imported into the Administrator Accounts section of the Quickpass Dashboard for that Customer, does not occur.
- This could create a situation where the password rotation never happens (ex. Workstation that is home with an End User and off at 3 AM when the scheduled rotations are set to execute)
- CyberQP has implemented a "Password Rotation Delay" mechanism to avoid this situation for accounts that are scheduled for rotation.
Implementation
MSP Partners do not need to do anything to have this implemented. This has been turned on for all accounts that have been imported to the Dashboard for Administrator for AD Workstation and Workstation roles, as of May 24th, 2024.
How the Scheduled Password Rotation Delay Works
- When an Account is imported and selected for rotation on the Administrator Account screen, an attempt to rotate the password on the account will be ran within the 1 hour time frame set on the Rotation Settings link
- If the agent on the system is offline at the time of that 1 hour window a record of that failure to rotate is set in the backend. A rotation of the Local Administrator accounts is NOT attempted.
- When the Agent comes back online, at the point of startup of the Agent, the backend will be alerted and the scheduled rotation (following the rules for Password type) will be executed.
- CyberQP will prevent the re-attempt of a password rotation if the re-attempt is within ½ hour of the next scheduled rotation
Administrator Accounts
- The Agent will start (the Service on the system is set to Delayed start) and will check in with the CyberQP infrastructure.
- The system will begin the rotation shortly after the Quickpass Agent service is started.
- The Password will be updated in whichever Password Storage Solution (ITGlue, Hudu, or CQPTV)
- If the device has missed multiple rotations (ex. been offline for a number of days) then only a single rotation will be done. (They don't queue up multiple rotations)
- This will occur for Local Administrator Accounts ONLY
- Due to the nature of a Service account rotation, these will only complete if the Agent is online at the time of the scheduled rotation. We don't want a service to restart in the middle of an employee's day.
NOTE: The Daily Rotation Alerts email, will no longer show AD Workstation or Workstation role Administrator accounts that have been "skipped/delayed". If an AD Workstation or Workstation role system, Administrator account IS shown on the Daily report, this means that the "Delayed/Skipped" account failed to rotate WHEN the Agent came back online.
Comments
0 comments
Please sign in to leave a comment.