Thycotic Community - Secret Server - Remote password changing further details requested - Messages

Message from hao

Thu, 15 Jul 2010 11:31:55 GMT

In addition, you do not have to turn off AD Password expiring, but you should set up your RPC scheduler such that the password-changing interval is shorter than your AD password age requirement. In another words, if your AD expires a password after 30 days, your RPC should work at a 30-day or shorter interval.

Message from hao

Thu, 15 Jul 2010 11:23:02 GMT

Hi Adam,

An top-level overview can be found in this Knowledge Base Article:
http://support.thycotic.com/KB/a92/what-is-remote-password-changing-for-service-accounts.aspx?KBSearchID=4997

The Dependency Finder will ask you for an ActiveDirectory credential that will be used to find all computers on the domain in order to create a list of computers to search. This search is done through an LDAP query, so your web server will need access through the LDAP ports to the Domain Controller. In addition, you can enter the specific computer names that you would like to search to limit the search result and bypass the LDAP query. Once Dependency Finder has the list of target computers to search, it uses Windows Management Instrumentation (WMI) to query the target machine for a list of Windows Services that are started with the Identity matching the credentials as defined in the Secret. The WMI query requires the WMI ports be open. See this KB Article for adding a Firewall exception (http://support.thycotic.com/KB/a48/enabling-wmi-for-use-with-dependency-finder.aspx?KBSearchID=4997 ). For each machine, the services are returned so they can be added as dependencies. Once the list of services is compiled the user must select a Secret with Privilege Account that has permission to change the Identity and restart the service on that machine. After the dependencies are setup and the Secret is enabled for RPC, the remote password changer will change and restart the dependencies at the same time that the password of the account stored in the Secret is changed (such as for an Active Directory Secret storing a Service Account credential in your question).

Best Regards,
Hao

Message from Adam D

Wed, 14 Jul 2010 15:39:18 GMT

Also should you have AD password expiring turned off and just use Secret Server password expiring timer?

Message from Adam D

Wed, 14 Jul 2010 15:38:04 GMT

Hi, we are about to implement the remote password changing feature of SS and would like some advanced documentation if you have it.

I still have some confusion on how it works, the user guide doesnt go into too much details.

Some of our questions are:

What happens behind the scenese?
Does the password reset the AD password and then all dependencies like a service account on a remote computer?
What are the necessary ports that need to be opened for this to work?
Any other information that may be helpful would be great

Thank you,
Adam