Windows Service Account Password Reset
Windows Service Accounts, used by system programs to run application software services or processes, often possess higher or even excessive privileges than normal user accounts. These are indeed very powerful accounts that run critical business processes and services. Many third-party services or scheduled tasks or processes might make use of the same service account, resulting in a complex interconnection.
Typically, specific windows domain accounts are used as service accounts in services running in Windows servers, that need network access. PAM360 has the ability to identify the service accounts associated with a particular domain account. While resetting the password of a domain account managed in PAM360, it will find out the services which use that particular domain account as service account. It will automatically reset the service account password when the domain password is changed.
In certain cases, you will require to restart the services for the service account password reset to take effect. The windows service account password reset feature of PAM360 helps achieve this precisely, fully automated.
How does windows service account reset work?
For every Windows domain account for which the service account reset is enabled, PAM360 will find out the services which use that particular domain account as service account, and automatically reset the service account password if this domain password is changed.
How to setup Windows Service Account Password Reset?
The following are mandatory:
(1) Microsoft .Net framework 4.5.2 or above must be installed.
(2) Microsoft Visual C++ 2015 redistributable must be installed.Before enabling windows service account reset, ensure if the following services are enabled in the servers where the dependent services are running:
(1) Windows RPC service should have been enabled
(2) Windows Management Instrumentation (WMI) service should have been enabled
Work flow Summary: Setting up Windows Service Account Password & Scheduled Task Password Reset
- You have a Service Account SA1
- You have four servers Win1, Win2, Win3 & Win4 that make use of SA1
- Your domain name is MyDomain and the SA1 is present in this domain
- Your domain administrator account is DomainAdmin
For enabling Windows Service Account Reset, you need to do the following:
- Create Windows resources for each of the servers that use service accounts. In the above example, you need to create Win1, Win2, Win3 & Win4 as four separate resources (with resource type 'Windows'). (In the case of service accounts spread across multiple domains, PAM360 uses the local administrator account to login. So, if you wish to have service account password reset for multiple domains, ensure that you have entered local administrator account while creating the resource).
- Create a resource group consisting of these resources - say RG1
- Create a Windows Domain resource. In the above example, it will be MyDomain with resource type Windows Domain
- Inside the domain account, add the individual domain account. In the above example, add SA1 as domain account
- Specify the Resource Group (the group that contains the resources that use the domain account as the service account) that are associated with the domain account. In the above example, associate SA1 with RG1
- Specify the domain administrator account. In this example, it is DomainAdmin. This is required for resetting the service account
Note: The above steps are automated, and PAM360 will fetch the service accounts associated with the services in the domain members (from v8300 and above) during the privileged accounts discovery process.
Now, when the domain account password is reset
- It is modified immediately in the domain
- PAM360 iterates through the associated resource group and for each resource find the list of services and scheduled tasks which use this domain account as their service account.
- PAM360 uses the domain administrator credentials to log in to the servers and forcefully modify the service account password and scheduled task passwords too and restart the services.
Steps to configure Windows Service Account Password Reset
- Add the Domain controller as 'Windows Domain' resource type. Make sure that you specify the DNS name and Domain name.
- Add the domain administrator account to this 'Windows Domain' resource.
- Add the service account which is used as logon account to this 'Windows Domain' resource.
- Add each machine in which services are running as individual resource with resource type 'Windows'.
- Create a resource group which contains all these windows machines. For example: Service Account group.
- Click the "Resource Actions" icon against WindowsDomain resource and select "Configure Remote Password Reset" from the drop down.
- In the pop-up form that appears, select the Domain Admin account as the 'Administrator Account'.
- Click "Save".
- Click on the WindowsDomain resource name. In the UI that opens, click the "Account Actions" icon against the service account and then select "Edit Account" from the drop down.
- In the pop-up form that appears, associate resource groups for this service account by moving desired groups to the other box on the right side.
- Also, check 'Restart' options if you would like PAM360 to restart the windows service account immediately after their passwords are updated.
- Check the checkbox for service account which you added in the 'Windows Domain' resource and click on the service account tab-> select Supported service accounts tab. Services which uses this service account as log on account will be listed. When you reset the password, it will be reset in the service running in the remote machine as well.
Note: In certain cases, there would be requirements for stopping and starting the services during domain account reset. In such cases, through "General Settings" you can configure PAM360 to wait for a specified time period (in seconds) between stopping and starting the services.
To configure this,
- Navigate to Admin >> Settings >> General Settinngs.
- In the UI that opens, select "Password Reset" from the options on the left hand side.
- Click the checkbox "Wait for a specified time period (in seconds) between stopping and starting the services".
- By default, PAM360 waits for 60 seconds. You may configure it in accordance with your needs.
- Click "Save".
Viewing Service Account Status
For any windows domain account (for which you have enabled Windows service account reset), you can view the list of associated service accounts, scheduled tasks and information on whether the service accounts and scheduled tasks were reset upon the corresponding domain account reset.
To view this information,
- Go to "Resources" tab and click the name of the resource.
- In the UI that opens, select the domain account of the resource for which you wish to know the status of service account reset and click "Service Account" button at the top of the list of acounts.
- In the dialog box that opens, switch to "Service Account Status" tab.
(1) Whenever the password of the domain account is changed, the windows service account associated with it will also be changed. In case, you have created schedules for rotating domain accounts, the service account reset will also follow the schedule.
(2) Once you create Windows Service Account Reset, the passwords of the Windows scheduled tasks associated with the service accounts will also be reset.