Password Manager Pro | Password Management Solution

Windows Service Account Password Reset

(Feature available only in Premium Edition)

Typically, specific windows domain accounts are used as service accounts in services running in Windows servers, that need network access. While resetting the passwords of the domain accounts managed in PMP, it is essential that the passwords of the associated service accounts also be changed. In certain cases, you will require to restart the services for the service account password reset to take effect. The windows service account password reset feature of PMP helps achieve this precisely, fully automated.

How does windows service account reset work?

For every Windows domain account for which the service account reset is enabled, PMP will find out the services which use that particular domain account as service account, and automatically reset the service account password if this domain password is changed.

How to setup Windows Service Account Password Reset?

Prerequisite: Before enabling windows service account reset, ensure if the following services are enabled in the servers where the dependent services are running:

(1) Windows RPC service should have been enabled

(2) Windows Management Instrumentation (WMI) service should have been enabled

Work flow Summary: Setting up Windows Service Account Password & Scheduled Task Password Reset

Consider that

You have a Service Account SA1
You have four servers Win1, Win2, Win3 & Win4 that make use of SA1
Your domain name is MyDomain and the SA1 is present in this domain
Your domain administrator account is DomainAdmin

For enabling Windows Service Account Reset, you need to do the following:

Create Windows resources for each of the servers that use service accounts. In the above example, you need to create Win1, Win2, Win3 & Win4 as four separate resources (with resource type 'Windows'). (In the case of service accounts spread across multiple domains, PMP uses the local administrator account to login. So, if you wish to have service account password reset for multiple domains, ensure that you have entered local administrator account while creating the resource).
Create a resource group consisting of these resources - say RG1
Create a Windows Domain resource. In the above example, it will be MyDomain with resource type Windows Domain
Inside the domain account, add the individual domain account. In the above example, add SA1 as domain account
Specify the Resource Group (the group that contains the resources that use the domain account as the service account) that are associated with the domain account. In the above example, associate SA1 with RG1
Specify the domain administrator account. In this example, it is DomainAdmin. This is required for resetting the service account

Now, when the domain account password is reset

It is modified immediately in the domain
PMP iterates through the associated resource group and for each resource find the list of services and scheduled tasks which use this domain account as their service account
PMP uses the domain administrator credentials to login to the servers and forcefully modify the service account password and schedules task passwords too and restart the services.

Windows service account reset can be configured right at the stage of resource addition or afterwards by editing the resource. Both the scenarios have been explained below:

While adding the resource

Step 1: Providing Resource Details

Go to "Resources" tab in the web interface and click the "Add Resource" link
In the UI that opens, enter the name of the resource in the text field against "Resource Name". The resource name is the one that uniquely identifies the resource in the PMP database. This field is mandatory
Enter the DNS Name/IP Address of the resource against "DNS Name/IP Address". The DNS name or the IP address is used during password changes made to the resource. This field is optional. However, if you want to enable remote password synchronization, this is mandatory
Select "Windows Domain" from the drop-down against field "Resource Type"
If the resource belongs to an already existing resource group, select that group name. If you want to create a new group, click "Add New"
Provide a description for the resource addition. This will be helpful for reference at a future point of time.
Enter the domain name of which the resource is part of. This step is very important and mandatory for Windows service account reset. If it is is not filled-in, PMP will not be able to find out the service accounts associated with the domain account
Fill-in details such as "Department" and "Location" of the resource (if applicable)
Select the required 'Password Policy' - Strong, Medium or Low

Step 2: Providing Domain Account Details - (Domain Account whose associated service accounts are to be reset)

The second step is to add the domain accounts whose associated Windows service accounts are to be reset when the password of the domain account is modified.

In the text field for "User Account", enter the name of the domain account. This field is mandatory
In the text field for "Password", enter the password of the account. This field is mandatory. If you have set a 'Password Policy' during the previous step, you need to enter your password only in accordance with the specified policy. For example, if you have set 'Strong' as the policy, the password entered here should comply to that. If you do not want to enforce the policy here, change the setting through "General Settings"
Confirm the password
Enter description about the account being added in the "Notes" column. This would help in properly identifying a particular account in future
Select the checkbox "Configure password reset for associated service accounts"
As mentioned above, the service account reset happens on the basis of the 'Resource Groups'. All the available resource groups are shown in the table in the GUI. Select the required resource groups from the list. For every Windows system present in the selected groups, PMP will find out the services which use this domain account as service account, and automatically reset the service account password if this domain password is changed.
You have the option, to restart the service after the service account password reset. If you need this option, select the checkbox "Restart services after service account reset"
If you want to add more accounts, repeat the above procedure
The account added until now are listed in the table below
If you require remote password synchronization, click "Next";
Otherwise, click "Finish" to complete the resource addition process

Important Note

In certain cases, there would be requirements for stopping and starting the services during domain account reset. In such cases, through "General Settings" you can configure PMP to wait for a specified time period (in seconds) between stopping and starting the services. By default, PMP waits for 60 seconds. You may configure it in accordance with your needs.

Enabling Windows Service Account Reset for the already added resources

For the already added resources of resource type "Windows Domain", you can enable Windows service account reset by editing the resource and the respective domain account.

To enable service account reset for the already added resources,

Go to "Resources" tab click the name of the resource
Click the edit icon present against the resource and provide the 'Domain Name' and click "Save"
Select the domain account of the resource for which you wish to enable service account reset
As mentioned above, the service account reset happens on the basis of the 'Resource Groups'. All the available resource groups are shown in the table in the GUI. Select the required resource groups from the list. For every Windows system present in the selected groups, PMP will find out the services which use this domain account as service account, and automatically reset the service account password if this domain password is changed
You have the option, to restart the service after the service account password reset. If you need this option, select the checkbox "Restart services"
Click "Save"

Viewing Service Account Status

For any windows domain account (for which you have enabled Windows service account reset), you can view the list of associated service accounts, scheduled tasks and information on whether the service accounts and scheduled tasks were reset upon the corresponding domain account reset.

To view this information,

Go to "Resources" tab click the name of the resource
Select the domain account of the resource for which you wish to know the status of service account reset
Click "Service Account Status"

Important Note:

(1) Whenever the password of the domain account is changed, the windows service account associated with it will also be changed. In case, you have created schedules for rotating domain accounts, the service account reset will also follow the schedule.

(2) Once you create Windows Service Account Reset, the passwords of the Windows scheduled tasks associated with the service accounts will also be reset.