Active Directory Service Account

Hi, what would be the best practice for the number of AD Service Account to be used. So, in Safeguard, there are 2 parts which would require AD service account, onboarding Active Directory Asset and Configuring AD in Identity and Authentication. With that said, should we create 1 service account and use it for both cases?

For instance, if we were to use 1 service account across both configuration, when Safeguard rotates the service account password at AD Asset side, would it effect how the user login side? Or would Safeguard be aware of the password change since it's being managed by Safeguard and used in the Identity & Authentication section?

Also, quoting from Administrator's guide "When you add the directory, Safeguard for Privileged Passwords automatically adds the service account to the directory's Accounts tab and disables it for access requests. If you want the password to be available for release, click Access Requests and select Enable Password Request from the details toolbar. To enable session access, select Enable Session Request." Based on this line, can we assume that when we configured Identity & Authentication with AD service account, does it mean it will automatically be added to the AD Asset's account list? 

Parents
  • You can use one service account for all purposes, as long as it has been granted the necessary permissions to perform all of its duties. 

    Regarding your question about resetting the password:

    In the Directory Asset configuration, it provides the option to select either a Directory Account (that is being managed by SPP) or to manually enter a username and password. If you select the Directory Account option, it will use the current password for the managed account that is stored in SPP, so you do not need to update it. 

    However, unfortunately, the Identity & Authentication configuration, doesn't appear to have the choice for a Directory Account. It only has the option to enter a username and password. So I believe you would need to update the credentials in the Identity and Authentication section manually. 

Reply Children
No Data