Best practice to configure daily password change profile for accounts manage by Active Directory

Hi Prashant,

SPP will perform an initial password change on accounts that are managed after being discovered when the password change profile is scheduled to run and not set to never.

Please see the following KB for more details:

https://support.oneidentity.com/kb/326481/when-using-account-discovery-is-the-password-of-the-account-changed-on-import

If the password change fails then it uses a back off algorithm to retry the password change again as per the following KB:

https://support.oneidentity.com/one-identity-safeguard-for-privileged-passwords/kb/259973/how-does-safeguard-handle-failures-for-scheduled-platform-tasks

Thanks!

Dear Tawfiq,

thanks 

I am using check password and change password at 1 AM and 2 PM respectively.

Check Password setting

Enable- Change password on mismatch

Change password setting

Enable : Manage Password 

rest are disabled 

Issue happening with active sessions requests.

Now the issue is safeguard is continuously checking the check password which is counting as windows login attempt and getting account locked

Please let me know if we really need check password

the other option could see under change password is change the password if release is active.

i would prefer if we achieve daily password change working even check password set to never, as our goal is to change the password.  

Hi Prashant,

Check password is optional and not required to actually perform a change password schedule.

You can have Check Password set to never and have Change password perform the change on a specific interval based on a schedule.

Please let me know if any other questions.

Thanks!

Dear Tawfiq,

Thanks

Please confirm to enable option change password even release is active has any impact during session access

Thinking to enable this so that password changes failed re run stop. as this is keep trying and might cause login failed attempt. 

Dear Tawfiq,

Thanks

Please confirm to enable option change password even release is active has any impact during session access

Thinking to enable this so that password changes failed re run stop. as this is keep trying and might cause login failed attempt. 

Hi Prashant,

If "Change the Password Even if a Release is Active" is disabled then SPP will not attempt to change the password on the target system during the session access (i.e. there would be no login attempt failure) - it will just log an event in SPP that the scheduled password change failed due to account is already in use. Therefore, retries are not causing an issue. You may also change the number of retries if you want SPP to retry less time ( user-defined Max Platform Task Retries (default 50, configurable via Settings endpoint which can be modified using the Swagger API)

If "Change the Password Even if a Release is Active" is enabled then SPP will make the password change while session release is Active and this can cause an account lock if for example an RDP session remains active for a long time while the session password is now expired.

Thanks!