Setting Domain-specific Advanced Options

Setting Options

You can set advanced security and maintenance settings for individual domains or domain sets. You can also set security and maintenance options globally to apply to all domains except where you have explicitly defined a domain-specific setting. If you use a combination of global and domain-specific settings, the domain‑specific settings take precedence over the global settings.

If you are not using global security settings or want to override global settings on specific domains, you can set the following advanced security and maintenance options on a case‑by-case basis:

  • "Set domain administrative accounts"
  • "Enable automatic account maintenance using the administrative account"
  • "Enable manual account unlock using the administrative account"
  • "Allow multiple password checkouts"
  • "Enable periodic password rotation"
  • "Enable password rotation after checkin"
  • "Minimum password age"
  • "Password complexity profile"
  • "Enable periodic password history cleanup"

In addition, the Privileged Access Service periodically updates the “joined zone” status of systems in the domain. You can view and change the update interval for all systems in the domain using the following Domain/Zone Tasks:

  • "Enable periodic domain/zone joined check"
  • "Enable periodic removal of expired zone role assignments"

To set domain-specific advanced options:

  1. In the Admin Portal, click Resources, then click Domains to display the list of domains.
  2. Select the domain to display the domain-specific details.
  3. Click Advanced.
  4. Select settings for any or all of the advanced domain options.
  5. Click Save.

For more information about how to set the domain-specific options, click the information icon in the Admin Portal.

Allowing Multiple Password Checkouts

Select No for Allow multiple password checkouts per AD account added for this domain if only one administrator is allowed check out the password for a selected domain at any given time. If you select No, the administrator must check the password in and have a new password generated before another administrator can access the domain computers with a domain account and the updated password.

Select Yes if you want to allow multiple users to have the account password checked out at the same time for a selected domain. If you select Yes, multiple administrators can access the domain with a domain account without waiting for the password to be checked in.

Enabling Periodic Password History Cleanup

Select Yes to automatically delete retired passwords from the password history after a given number of days. Select No to prevent the Privileged Access Service from automatically deleting retired passwords from the password history at a set interval.

If you select yes, you can also specify the maximum number of days of password history to keep. For example, if you have a requirement to keep a record of passwords used for three years, you might set the cleanup interval to 1096 days to maintain the password history for that period of time. If you select the default setting, retired passwords are automatically deleted after 365 days. You cannot set a cleanup interval less than 90 days.

Enabling Periodic Password Rotation

Select Yes if you want to rotate managed passwords automatically at the interval you specify. Select No if you want to prevent password rotation for the selected system.

If you select Yes, you should also specify the password rotation interval in days. Type the maximum number of days to allow between automated password changes for managed accounts. You can set this policy to comply with your organization's password expiration policies. For example, your organization might require passwords to be changed every 90 days. You can use this policy to automatically update managed passwords at a maximum of every 90 days. If the policy is not defined, passwords are not rotated.

Enabling Password Rotation After Check-in

After you check out a managed password for a domain computer, you can specify whether the managed password is rotated after it is checked in.

Select Yes to allow password rotation after password check in. Select No to not allow password rotation after it is checked in. Select --* to use the default setting from the Security Settings in the Settings tab.

Minimum Password Age

Specify the minimum number of days that a managed password must have been in use before it can be rotated.

Password Complexity Profile

Select an existing password generation profile or add a new profile for the selected domain. If you don’t select or add a profile, the default password generation profile for the domain is used. For more information about adding and editing password complexity profiles, see "Configuring password profiles."

Enabling Periodic Domain or Zone Joined Check

Select to periodically update the zone joined status of systems in the domain. If you do not enable this option, the Privileged Access Service does not automatically update the zone joined status of systems in the domain at a set interval.

If you enable to periodically update the domain/zone joined status, you also specify the frequency in minutes for the status refresh. If you do not specify an interval, the default interval is 60 minutes.

Enabling Periodic Removal of Expired Zone Role Assignments

Select to set an interval at which expired zone role assignments are automatically removed from Active Directory. Do not select if you want to prevent expired zone role assignments from being automatically removed from Active Directory.

If you select to enable the removal of expired zone role assignments, you also specify the interval for the removal frequency in days. If you do not specify a value, the default interval is 6 days.