Understanding Unhealthy Account Statuses
There may be many reasons a password might fail to update on machines stored in Delinea Privileged Access Service. Below is an SQL query that you run on PAS to produce a report with systems and accounts that are failing password rotation.
To run the report
- Navigate to the Delinea PAS > Reports > New Report.
- Build a new report using the editor.
- Paste the SQL query, AccountsNotRotating.sql, into the editor.
"SQL query"
- Save and Run the report.
- From the Actions in the report results, export the report. The report can be saved as an Excel or CSV file.
Interpreting the report results
The status of a machine and its accounts are determined by opening the report in Microsoft Excel and reviewing the report column headers in row one. The columns that are considered are:
- SystemHealthStatus (C)
- AccountHealthError (I)
- PasswordResetRetryCount (K)
- PasswordResetLastError (L)
- SystemManagementMode (Q)
- SystemComputerClass (P)
- AccountNeedsPasswordReset (J)
| Report columns and values | Result status | Follow up actions |
|---|---|---|
| SystemHealthStatus is Unreachable. | System Unreachable | If the system is no longer in service, consider deleting it.. Check if the machine is "pingable." Verify DNS is correctly resolving the name as it appears in the "DNS Name/IP Address" of the system in PAS. |
| SystemHealthStatus is OK.AccountHealthError is BadCredentials.PasswordResetLastError is 'System error'. | Password Needs Updating | The password in not being rotated because the current password is unknown.Reset the password on the target machine Update the password in PAS. Manually rotate the password. The password should rotate automatically going forward. |
| SystemHealthStatus is OK. AccountHealthError is OK. PasswordResetRetryCount > 0 SystemManagementMode is RpcOverTcp PasswordResetLastError is HostNotFound. | RPC Dynamic Ports Blocked | The machine has an open port that permits the account to be validated OK, but does not have the RPC dynamics ports open which are needed to rotate the password. The RPC dynamic ports are 49152 - 65535. Adjust the firewall to open the dynamic RPC ports. Manually rotate the password. |
| SystemHealthStatus is OK. AccountHealthError is OK. PasswordResetRetryCount > 0 PasswordResetLastError is 'User has no SAM remote access rights'. | SAM Remote Access Restriction | On newer versions of Windows, access to the Windows authentication database is restricted and prevents password rotation.Update the local security policy of the target machine: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Restrict clients allowed to make remote call to SAM Add the account name to the policy. Manually rotate the password. |
| SystemHealthStatus is OK. AccountHealthError is OK. PasswordResetRetryCount > 0 SystemComputerClass is UnixAccount NeedsPasswordReset is RetryLimitExceeded | Unix System Offline for Too Long | The machine has been offline for a long time, but the system and accounts are OK. Manually rotate the password. The password should rotate automatically going forward. |
| SystemHealthStatus is OK. AccountHealthError is OK. PasswordResetRetryCount = 0 | Needs More Investigation - No Attempt to Rotate Password | This machine needs more investigation. Manually rotate the password. If the password does not rotate, gather the tenant logs, collector logs, time stamp, and account information for further analysis. |
| SystemHealthStatus is OK. AccountHealthError is OK. PasswordResetRetryCount > 0 SystemManagementMode is Smb PasswordResetLastError is HostNotFound. | Needs More Investigation - SMB | This machine needs more investigation. Manually rotate the password. If the password does not rotate, gather the tenant logs, collector logs, time stamp, and account information for further analysis. |
| SystemHealthStatus is OK. AccountHealthError is OK. PasswordResetRetryCount > 0 SystemManagementMode is Smb. PasswordResetLastError is AccountRestrictionsPreventSignin | Needs More Investigation - AccountRestrictionsPreventSignin | There is some restriction on the target machine preventing password rotation. Investigate any password restrictions on target machine. Gather the tenant logs, collector logs, time stamp, and account information for further analysis. |
| SystemHealthStatus is OK. AccountHealthError is BadCredentials PasswordResetLastError is HostNotFound. | Password Needs Updating and RPC Dynamic Ports Blocked | This machine's account needs both a password update and unblocking of the RPC dynamic ports. Adjust the firewall to open the dynamic RPC ports.s (949152 - 65535) Reset the password on the target machine. Update the password in Delinea PAS. Manually rotate the password. |
| SystemHealthStatus is OK. AccountHealthError is OK. PasswordResetRetryCount > 0 PasswordResetLastError is 'Password policy is violated'. | Password Policy | The system has a password policy that is more restrictive than the passwords generated by Delinea PAS. Check the password policy for local accounts. |
