Add Windows Components to Password Safe

Password Safe can manage Active Directory and LDAP directories and directory accounts, Windows service accounts, scheduled task accounts, and IIS application pool accounts.

Add a Directory 

  1. From the left menu, select Managed Systems.
  2. Click Create New Managed System.
  3. From the Type list, select Directory.
  4. From the Platform list, select Active Directory or LDAP.
  5. Configure the settings for the directory, and then click Create Managed System.

For more information on adding managed systems manually, please see Add a Managed System Manually

Add Directory Accounts

You can add directory accounts manually or by creating an Active Directory account with a Smart Group.

Add Directory Accounts Manually

  1. On the Managed Systems page, select the managed system for the directory, and then click the vertical ellipsis button for the managed system.

Filter the list of managed systems in the grid by selecting Directory Managed Systems from Smart Group filter to quickly find your managed system.

  1. Select Create Managed Account.
  2. Configure the managed account settings as necessary, and then click Create Account.

When configuring the managed account settings for an Active Directory account, you can choose a domain controller to change or test a password. The domain controller on the managed account overrides a domain controller on the functional account selected.

For more information on adding managed accounts manually, please see Add a Managed System Manually

Discover Active Directory Accounts with an Active Directory Query

  1. From the left menu, click Smart Rules.
  1. From the Smart Rule type filter list, select Managed Account.
  2. Click Create Smart Rule.

Screenshot showing filters and actions for a Managed Account Smart Rule for an Active Directory Query

  1. Select Managed Accounts from the Category list.
  2. Provide a name and description for the Smart Rule.
  3. Set the following Selection Criteria:
    • Directory Query > Include accounts from Directory Query.
    • Select the query from the list to create the query in real time.
    • Ensure the Discover accounts for Password Safe Management option is enabled.

 

Account Options for Smart Rule to Enable accounts for AD & LDAP Queries

  1. Set the following Actions:
    • Show Managed Account as Smart Group.
    • Manage Account Settings: Configure these settings as necessary, ensuring to select the following options from the Account Options dropdown:
      • Change Password after Release
      • Check Password
      • Enable accounts for AD/LDAP queries

     

 

By default, the Smart Rule auto manages the directory account passwords. If you do not want this, set Enable Automatic Password Management to No; otherwise, ALL accounts in the query will have passwords changed.

  1. Click Create Smart Rule.
  2. To view the Active Directory accounts, go the Managed Accounts page, and then select the newly created Smart Group from the Smart Group filter list.

Link Active Directory Accounts to Managed System

You can link Active Directory accounts to managed systems on a specified domain.

  1. From the left menu, click Managed Systems.

Screenshot of the View Advanced Details for a Managed System menu item.

  1. Select the managed system, and then click the vertical ellipsis button for the managed system.
  2. Select Go to advanced details.

 

Screenshot of Link Active Directory Accounts to Managed System

  1. Under Advanced Details, select Linked Accounts.
  2. Filter the list by Not Linked.
  3. Select the accounts, and then click Link Accounts.

 

Create an Active Directory Functional Account

When creating an Active Directory managed account, the functional account requires a domain controller. Administrators can choose a targeted domain controller from the menu, or select Any Domain Controller, which allows Active Directory to choose.

If a failure occurs when connecting to a target domain controller, Password Safe connects at the domain level.

Add Windows Service, Task Scheduler, and IIS Application Pool Accounts to Password Safe Management

Password Safe allows you to manage the credentials that are used for services, scheduled tasks, and IIS application pools in Windows. Accounts that are used to run services, scheduled tasks, and IIS application pools can be added as managed accounts in Password Safe. When their passwords are changed by Password Safe, the credentials are updated in any services, scheduled tasks, and IIS application pools that are associated with the managed account, if these options are enabled under Account Settings on the managed account.

Managed Account Smart Rule > Actions > Manage Account Settings

These options are also available when creating a managed account Smart Rule by selecting Manage Account Settings under Actions, and then checking the applicable Account Options.

 

Available Account Options are:

Managed Account Smart Rule Account Options

  • Change Password for Windows Service
  • Change Password for Windows Task
  • Change Password for Windows IIS Application Pool

 

Manage Windows Service Accounts

When a service is under Password Safe management, the following occurs when the managed account password changes:

  • A service that is running restarts when the password is changed.
  • A service that is stopped is not restarted when the password is changed.
  • Dependent services may or may not restart based on the state of the primary service.

Before adding a service account to Password Safe management, be sure to:

  • Start the remote registry service on the target.
  • Start the UPnP (Universal Plug and Play) Device Host service on the target.
  • Start the SDPP (Service Directory Placement Protocol) Discovery service on the target.
  • Verify machines are in the domain, if applicable.
  • Verify assets are managed with a local administrator account if not in the domain, or with a domain administrator account if in the domain.

Complete the following procedures to prepare and add a service account to Password Safe management.

  1. On the asset where the service reside, open the Windows Services snap-in and stop the service if running.
  2. Right-click the service, and then select Properties.
  1. Select the Log on tab and enter the local or active directory account and current credentials. If required, retrieve a password using the Password Safe administrator credentials.
  1. Restart the service to verify it starts successfully.
  1. In the BeyondInsight console, click Scan to run a Detailed Discovery Scan against the target systems to add the systems as assets in BeyondInsight. The detailed scan collects data of the services for the targets.
  2. Add the discovered assets to Password Safe management.
  3. Verify the following:
    • From the Assets page:
      • Select the asset, and then click the vertical ellipsis button for the asset.
      • Select Go to advanced details.
      • Under Scan Data, click Services.
      • Confirm the services have been collected, their Status is Running, and the Log On As account name is correct.
    • From the Managed Systems page:
      • Select the managed system, and then click the vertical ellipsis button for the system.
      • Select Edit Managed System.
      • Verify that NetBIOS Name is entered. It must be a fully qualified domain name (FQDN) if a domain account is used.
  4. From the Managed Accounts page:
    • Select the managed account associated with the service, and then click the vertical ellipsis button for the managed account.
    • Select Edit Account.
    • Scroll down and expand Account Settings.
    • Ensure the Change Services and Restart Services options are enabled.
    • Click Update Account.
  5. From the Managed Accounts page:
    • Select the managed account associated with the service, and then click the vertical ellipsis button for the managed account.
    • Select Test Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.
    • Click the vertical ellipsis button for the managed account again.
    • Select Change Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.
  6. Restart the service to verify the password change. The password change is successful if the service restarts. Otherwise, the password change is not successful. Go through all the steps in this chapter to troubleshoot.

Manage Windows Scheduled Task Accounts

When a scheduled task is under Password Safe management, the following occurs when the managed account password changes:

  • A scheduled task that is running stops when the password is changed.
  • A scheduled task that is stopped will run again at its next scheduled interval time.

Before adding a scheduled task account to Password Safe management, be sure to:

  • Start the Task Scheduler service on the target.
  • Start the UPnP (Universal Plug and Play) Device Host service on the target.
  • Start the SDPP (Service Directory Placement Protocol) Discovery service on the target.
  • Verify machines are in the domain, if applicable.
  • Verify assets are managed with a local administrator account if not in the domain, or with a domain administrator account if in the domain.

Complete the following procedures to prepare and add scheduled task accounts to Password Safe management.

  1. On the asset where the scheduled task resides, open the Task Scheduler snap-in and end the task if running.
  2. Right-click the scheduled task, and then select Properties.
  3. On the General tab, click Change User, and enter the local or active directory account and current credentials. If required, retrieve a password using the Password Safe administrator login.
  4. Run the task to verify it runs successfully.
  1. In the BeyondInsight console, click Scan to run a Detailed Discovery Scan against the target systems to add the systems as assets in BeyondInsight. The detailed scan will collect data for the scheduled tasks for the targets.
  2. Add the discovered assets to Password Safe management.
  3. Verify the following:
    • From the Assets page:
      • Select the asset, and then click the vertical ellipsis button for the asset.
      • Select Go to advanced details.
      • Under Scan Data, click Scheduled Tasks.
      • Confirm the scheduled tasks were collected.
      • Click the i button for each scheduled each task and verify the Run As account name is correct.
    • From the Managed Systems page:
      • Select the managed system, and then click the vertical ellipsis button for the system.
      • Select Edit Managed System.
      • Verify that NetBIOS Name is entered. It must be a fully qualified domain name (FQDN) if a domain account is used.
  4. From the Managed Accounts page:
    • Select the managed account associated with the scheduled task, and then click the vertical ellipsis button for the managed account.
    • Select Edit Account.
    • Scroll down and expand Account Settings.
    • Ensure the Change Tasks option is enabled.
    • Click Update Account.
  5. From the Managed Accounts page:
    • Select the managed account associated with the scheduled task, and then click the vertical ellipsis button for the managed account.
    • Select Test Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.
    • Click the vertical ellipsis button for the managed account again.
    • Select Change Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.
  6. Run the scheduled task to verify the password change. The password change is successful if the scheduled task starts. Otherwise, the password change is not successful. Go through all the steps in this chapter to troubleshoot.

Manage Windows IIS Application Pool Accounts

When an IIS application pool account is under Password Safe management, the following occurs when the managed account password changes:

  • A IIS application pool that is running restarts when the password is changed.
  • A IIS application pool that is stopped is not started when the password is changed.

Before adding an IIS application pool account to Password Safe management, be sure to:

  • Start the IIS Admin Service on the target.
  • Start the UPnP (Universal Plug and Play) Device Host service on the target.
  • Start the SDPP (Service Directory Placement Protocol) Discovery service on the target.
  • Verify machines are in the domain, if applicable.
  • Verify assets are managed with a local administrator account if not in the domain, or with a domain administrator account if in the domain.

Complete the following procedures to prepare and add IIS application pool accounts to Password Safe management.

  1. In the BeyondInsight console, click Scan to run a Detailed Discovery Scan against the target systems to add the systems as assets in BeyondInsight. The detailed scan collects data for the IIS application pools for the targets.
  2. Add the discovered assets to Password Safe management.
  3. Verify the following:
    • From the Assets page:
      • Select the asset, and then click the vertical ellipsis button for the asset.
      • Select Go to advanced details.
      • Under Scan Data, click Application Pools.
      • Confirm the IIS application pools have been collected, and that their Identity account name is correct.
    • From the Managed Systems page:
      • Select the managed system, and then click the vertical ellipsis button for the system.
      • Select Edit Managed System.
      • Verify that NetBIOS Name is entered. It must be a fully qualified domain name (FQDN) if a domain account is used.
  4. From the Managed Accounts page:
    • Select the managed account associated with the IIS application pool, and then click the vertical ellipsis button for the managed account.
    • Select Edit Account.
    • Scroll down and expand Account Settings.
    • Ensure the Change IIS Application Pool option is enabled.
    • Click Update Account.
  5. From the Managed Accounts page:
    • Select the managed account associated with the IIS application pool, and then click the vertical ellipsis button for the managed account.
    • Select Test Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.
    • Click the vertical ellipsis button for the managed account again.
    • Select Change Password. A slide-out status message with the results of the change attempt is displayed at the bottom of the page.