Setting Domain-specific Policies
Setting Policies
You can set the following domain policy for individual domains or domain sets:
"Checkout lifetime (minutes)"
To set domain-specific policies:
- In the Admin Portal > Resources > Domains to display the list of domains.
- Select the domain to display the domain-specific details.
- Click Policy.
- Select settings for any or all of the domain policies.
- Click Save.
For more information about how to set the domain policies, click the policy link or the information icon in the Admin Portal.
Checkout Lifetime
Type the maximum number of minutes administrators are allowed to have a password checked out. After the number of minutes specified, the Privileged Access Service automatically checks the password back in. The minimum checkout lifetime is 15 minutes. If the policy is not defined, the default checkout lifetime is 60 minutes.
You can extend the checkout time for a password as long as you do so before the initial checkout period expires. For example, if the maximum checkout lifetime is 60 minutes and you extend the checkout time before the 60 minute period is over, the password expiration is reset to the 60 minute checkout lifetime. For more information about configuring the Checkout lifetime policy, see "Extending the password checkout time."
Enabling Manual Account Unlock
On the Admin Portal > Domains > Advanced page, you can configure Privileged Access Service to manually unlock account passwords for domain accounts and local accounts on domain-joined Windows systems using the domain administrative account. This requires users to have the Unlock Account permission set at the domain level. Under Enable Manual Account Unlock you can enable the following:
-
Domain Accounts
Enables users with the proper permissions to use the domain administrative account to manually unlock managed domain account passwords stored in Privileged Access Service.
-
Local Accounts
Enables users with the proper permissions to use the domain administrative account to manually unlock passwords for managed local accounts on domain-joined Windows systems stored in Privileged Access Service. For information on setting up local system account password reconciliation, see Configuring Windows Local Account Reconciliation. Make sure the corresponding local account setting is also enabled in Systems> Advanced > Local Account Manual Unlock see Setting System‑specific Advanced Options.
Before enabling this policy you need to:
-
Set up an administrative account for the domain.
For information on configuring an administrative account for a domain, see Setting Domain Admin Accounts.
-
Configure the domain user to have the Unlock Account permission.
For information on configuring the Unlock Account permission, see Setting Global Account Permissions.
-
Make sure the domain user account is a managed account.
For information on setting up a domain account with a managed password, see Adding Active Directory Domain Accounts.
If an account that is set as the Privileged Access Service administrative account for the domain is locked, that account cannot be unlocked. An administrative account cannot unlock itself. For instance, if maria.garcia@cpubs.net is locked, the administrative account assigned to cpubs.net is used to unlock the account. However, if maria.garcia@cpubs.net is set to be the administrative account, the account cannot be unlocked.
Enabling Automatic Account Maintenance
On the Domains > Advanced page, you can configure Privileged Access Service to perform automatic account maintenance for domain and local accounts. Under Enable Automatic Account Maintenance you can enable the following:
-
Domain Accounts
Enables Privileged Access Service to manage passwords for managed domain user accounts. Privileged Access Service detects an out-of-sync password for a managed domain user account during password rotation, login, and checkout. Also, when this policy is enabled and the administrative account is configured, a managed domain user account can be added without a password configured; Privileged Access Service automatically resets the password associated with the domain user account.
-
Local Accounts
Enables Privileged Access Service to manage passwords for local system accounts on domain-joined Windows systems. Using the domain administrative account, users with the proper permissions can reset out-of-sync account passwords stored in Privileged Access Service. Privileged Access Service detects an out-of-sync password for a managed local system account during password rotation, login, and checkout. Also, when this policy is enabled and the administrative account is configured, a managed local system account can be added without a password configured; Privileged Access Service automatically resets the password associated with the local system account. For information on setting up local system account password reconciliation, see "Configuring Windows local account reconciliation."
Make sure to enable the corresponding policy in Resources > Systems > Advanced see Setting System‑specific Advanced Options.
Before enabling this policy you need to:
-
Set up an administrative account for the domain.
For information on configuring an administrative account for a domain, see Setting Domain Admin Accounts.
-
Make sure the domain user account is a managed account.
For information on setting up a domain account with a managed password, see Adding Active Directory Domain Accounts.
Resetting out-of-sync passwords and unlocking managed accounts does not change the domain account privileges or access to data.