Best practice to configure windows service accounts in Safeguard SPP

Dears,

Best practice to configure windows service accounts in Safeguard SPP

I have domain account and want to manage through safeguard, daily password change will be ok.

Also suggest if we put in different partition as we don't want to mix with user account password change policy

your help is appreciated.

  • Hi Prashant,

    Please refer to the following link from the Admin guide for details about (Configuring account dependencies on an asset): 

    https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/6.13.1/administration-guide/46#TOPIC-1777865

    Thanks!

  • Hello Tawfiq,

    I hope you're well.

    I have followed the guide by adding the managed Windows service account (Domain Account) to the "Account Dependencies" tab related to the managed asset (Windows Server).

    I have also ensured that both the asset and the account are contained in the same profile. Additionally, I have allowed WMI for the managed account as per the instructions in the following article: https://support.oneidentity.com/one-identity-safeguard-for-privileged-passwords/kb/4267456/update-dependent-systems-supported-platforms

    Despite these steps, I am still unable to automatically update the the service that depends on the managed account for login with the new password.

    Could you please assist with this issue?

  • Hi Mahmoud,

    Please check the following:

    In SPP, do the following:

    1. Do a Check Password of the Managed AD Account (that is assigned to the Windows Service Log On tab) to make sure that SPP has the correct Password.

    2. Do a Test connection on the Target Windows Server which will be used where the Windows Service is running using the above Managed AD Account. A successful test is needed here to make sure SPP can communicate with the asset.

    3. Verify that the Managed AD Account is assigned to the Account Dependencies tab under the target Windows Asset 

    4. Verify if the Password Profile assigned to the Asset > Management tab has the following options enabled in the Change Password profile > Expand the Windows Only drop down:

    Enable > Update service on password change (Windows only)

    Enable > Restart service on password change (Windows only)

    5. Verify that the Target Windows Server > Services.msc > Check the service that is using the Managed AD Account is running (if the service is stopped then SPP does not start it automatically, it will only be restarted if the service is already running but SPP will update the password anyways in both service states whether stopped or started) - also make sure the managed account is resolved in the format username@domain.com 

    6. Change the password if the Managed AD Account 

    7. Review the Reports > Activity Center > Refresh few times to check for the events such as: Password Change succeeded or failed and Account Dependency Update Succeeded or failed which may help point you in the right direction if any failures.

    Thanks!

  • Thanks Tawfiq,

    It works!

    However, I've noticed that the service does not start automatically and stops with every refresh. This may be related to service dependencies.

    At least, the service Log on account password updated successfully.