Privileged Account Credentials and Associated Secrets

By default, the Remote Password Changer (RPC) uses the credentials stored within a secret to initiate a password change. For Windows and Active Directory accounts, you can opt to use a privileged account by selecting the Privileged Account Credentials option. This allows you to choose an Active Directory secret that has the necessary permissions to change the account's password.

For secret templates that use a custom command password type, you can assign multiple Associated Secrets for use within the custom commands. When a secret is linked with Privileged account credentials or Associated Secrets, editing the username, host, domain, or machine is restricted for users who do not have access to those linked secrets. In the RPC tab, users without access will see the message "This Secret references another Secret for Remote Password Changing to which you do not have access. You will not be able to edit some fields on this Secret". Additionally, on the Edit page, all text-entry fields mapped for RPC, except for the password, are disabled. This added layer of security prevents unauthorized users from altering the username and resetting another account's password.

To appear in searches, privileged accounts must have RPC enabled in their originating template or the Active Directory secret.

If you attempt to use a secret that has checkout enabled as a Privileged Account on another secret, that second secret's password change will fail with an error that indicates that the associated secret has checkout enabled.