Setting System‑specific Advanced Options

In the Systems > Advanced tab, you can select system-specific options for password security and maintenance and also view the zone status of a system.

The following sections provide information on configuring options in the Systems > Advanced tab:

  • "Account Reconciliation"
  • "Domain Settings"
  • "Removing local accounts upon session termination - Windows only"
  • "Allowing multiple password checkouts for this system"
  • "Enabling periodic password rotation"
  • "Enable password rotation after checkin"
  • "Specifying the minimum password age (days)"
  • "Specifying the password complexity profile"
  • "Enabling periodic SSH key rotation"
  • "Setting the minimum SSH Key Age (days)"
  • "Specifying the SSH Key Generation Algorithm"
  • "Enabling periodic password history cleanup"
  • "Enabling periodic SSH key cleanup"
  • "Enabling client automatic updates"

To configure system-specific advanced settings:

  1. In the Admin Portal, click Resources, then click Systems to display the list of computers and network devices.
  2. Select a system to display system-specific details.
  3. Click Advanced.
  4. Select settings for any or all of the password security and maintenance options.
  5. Click Save.

For more information about how to set the system-specific options, click the information icon in the Admin Portal.

Account Reconciliation

Account reconciliation allows you to reset out-of-sync managed local Windows or Unix account passwords stored in Privileged Access Service. Account reconciliation for both Windows and Unix systems can be configured using either a local administrative account or through theDelinea Client for Windows or the Delinea Client for Linux.

To configure account reconciliation , you must enroll your system. If you do not have an enrolled agent, you will see a banner above the Account Reconciliation settings and must proceed to Domain Settings (below) to enable account reconciliation options. For information on enrolling your system, see "Enrolling and managing computers with Delinea Clients."

img

As part of the configuration process, you need to enable the following settings:

  • Local Account Automatic Maintenance

    Allows users with the proper permissions to reset out-of-sync local account passwords stored in Privileged Access Service.

    For domain-joined Windows systems with account reconciliation configured using a domain administrative account, make sure the corresponding local account setting is also enabled in Domains > Advanced > Administrative Account Settings > Enable Automatic Account Maintenance (see "Enable automatic account maintenance using the administrative account."

  • Local Account Manual Unlock (Windows systems only)

    Allows users with the proper permissions to unlock local account passwords stored in Privileged Access Service.

    For domain-joined Windows systems with account reconciliation configured using a domain administrative account, make sure the corresponding local account setting is also enabled in Domains > Advanced > Administrative Account Settings > Enable Manual Account Unlock (see "Enable manual account unlock using the administrative account."

To enable these operations, make sure you have:

  • Windows and Unix: Edit permission for the system.
  • Windows viaDelinea Connector: Grant and View permission for the domain. Delinea
  • Windows viaDelinea Connector: An administrative account for the domain with the View permission (see "Set domain administrative accounts."

(Windows systems using non-client based Account Reconciliation only) You can use the Verify Configuration button to check that local account password reconciliation is properly configured. Make sure the domain administrator account has the View permission in order to verify the configuration. If the settings are configured correctly, Verification completed successfully. is displayed. If the settings are not configured correctly, an error message is displayed. Update your configuration and try Verify Configuration again.

Configuration procedures differ for the various methods. For detailed information on configuring account password reconciliation for Windows and Unix systems, see:

  • "Configuring Windows local account reconciliation"
  • "Configuring UNIX local account reconciliation"

Local Administrator Account (required for non-client-based UNIX configurations)

Configuring the Local Administrator Account field is only required if you are configuring account reconciliation on UNIX systems that do not use the Delinea Client for Linux (in other words, this field applies to system configurations that use the Delinea Connector).

If you did not specify a local administrative account when you initially added the Unix system to the Privileged Access Service Adding Systems with the Wizard, you can set a local administrative account under Account Reconciliation on the Systems > Advanced page. You need to configure a local administrator account before you can enable local account automatic maintenance. For more information, see [Configuring UNIX local account reconciliation."

You can specify an administrative account to perform account management tasks and reset out of sync managed local account passwords stored in Privileged Access Service. For additional information, see "Specifying a local administrative account."

Domain Settings

Under Domain Settings on the Systems > Advanced page, you can view the domain and the domain administrative account if it is configured. Setting these fields is required for Zone Role Workflow (also see "Enabling zone role workflow."

For Windows systems: The domain and domain administrative account fields are populated only if the system is domain joined and a domain administrative account is set for the domain; if it is not set these fields are empty. These fields are required for local account password reconciliation (LAPR) configured on Windows systems via the Delinea Connector and for Zone Role Workflow. If the system is already joined to a domain, the domain name is displayed in the text box. You must first add the appropriate domains to the Privileged Access Service in order to join the Windows system to a domain. For information on adding domains to the Privileged Access Service, see "Adding a domain."

To select a domain for a system:

  1. In the Admin Portal > Resources, then click Systems to display the list of computers and network devices.

  2. Select a system to display system-specific details.

  3. Click Advanced and then click Set next to the Domain text box to select the relevant domain.

  4. Start typing the domain name into the search box.

    The service lists the domains for which you have View permission.

  5. Select the domain you want to use.

  6. Click Select and then click Save.

    If the domain has a domain administrative account already configured, it is displayed in the Domain Administrative text box. If the domain selected for the system does not have a domain administrative account configured, see "Set domain administrative accounts."

Removing Local Accounts upon Session Termination (Windows only)

When a user logs in to a system by way of client-based login, the service creates a local Windows account to facilitate that login. You can choose to completely remove that local account when the user's session terminates. For more information about this account, see "Enabling client-based login."

Select No if you do not want to completely erase the local account. Keeping this account intact preserves any changes that the user made during their session, such as configurations or settings and also the user's home directory

Select Yes if you want to completely erase the local account that gets created when users log in to a system by way of client-based login (Agent Auth). Erasing this account involves removing the home directory and any personal configurations or settings.

Allowing Multiple Password Checkouts for Systems

Select No if only one administrator is allowed check out the password for a selected system at any given time. If you select No, the administrator must check the password in and have a new password generated before another administrator can access the system with the updated password.

Select Yes if you want to allow multiple users to have the account password checked out at the same time for a selected system. If you select Yes, multiple administrators can access the system without waiting for the password to be checked in.

Enabling Periodic Password Rotation

Select Yes if you want to rotate managed passwords automatically at the interval you specify. Select No if you want to prevent password rotation for the selected system.

If you select Yes, you should also specify the password rotation interval in days. Type the maximum number of days to allow between automated password changes for managed accounts. You can set this policy to comply with your organization's password expiration policies. For example, your organization might require passwords to be changed every 90 days. You can use this policy to automatically update managed passwords at a maximum of every 90 days. If the policy is not defined (--), passwords are rotated according to the setting in Settings > Resources**>Security Settings** tab.

Enabling Password Rotation after Check in

Select Yes to allow password rotation after it is checked in. Select No to not allow password rotation after it is checked in.

Specifying the minimum password age (days)

Specify the minimum number of days that a managed password must have been in use before it can be rotated.

Specifying the Password Complexity Profile

Select an existing password generation profile or add a new profile for the selected system. If you don’t select or add a profile, the default password generation profile for the system type is used. For more information about adding and editing password complexity profiles, see "Configuring password profiles."

Enabling Periodic SSH Key Rotation

Select Yes to allow periodic password rotation. Select No to not allow periodic password rotation. Select "--" to use the default setting from the Security Settings in the Settings tab.

Setting the Minimum SSH Key Age

Minimum amount of days old an SSH key must be before it is rotated.

Specifying the SSH Key Generation Algorithm

Specifies the algorithm to use when generating SSH keys during manual or automatic SSH key rotation.

Enabling Periodic Password History Cleanup

Select Yes to automatically delete retired passwords from the password history after a given number of days. Select No to prevent the Privileged Access Service from automatically deleting retired passwords from the password history at a set interval.

If you select yes, you can also specify the maximum number of days of password history to keep. For example, if you have a requirement to keep a record of passwords used for three years, you might set the cleanup interval to 1096 days to maintain the password history for that period of time. If you select the default setting, retired passwords are automatically deleted after 365 days. You cannot set a cleanup interval less than 90 days.

Enabling Periodic SSH Key Cleanup

Select Yes to allow periodic SSH key cleanup. Select No to not allow periodic SSH key cleanup. Select "--" to use the default setting from the Security Settings in the Settings tab.

Enabling Client Automatic Updates

Select Yes to specify that the service automatically updates the Delinea Client software on enrolled systems to the latest client version. After you select Yes, you can also specify a time of day to begin the automatic update. After the service updates the client, the system's Activity page displays information about the client version and the automatic update.