Skip to content

Rotating Domain Service Credentials

In Windows domain environments, it is common to use a shared Active Directory account as the "run as" user for services, scheduled tasks, and application pools across multiple domain-joined devices. When the password for this shared account is rotated, all dependent services on these devices must be updated to avoid service disruptions.

The Rotate Domain Service Credentials feature automates the password rotation process for the shared domain account and ensures that all associated services, tasks, and application pools on dependent hosts are updated accordingly.

Configuration

Step 1: Create and Schedule Password Rotation for LDAP User Account

  1. Create a Windows domain account asset that will be used as the shared "run as" account.
  2. Schedule password rotation for this account.

    Typically, the domain account is configured as an LDAP User asset. The password rotation is performed using a shadow LDAP Administrator asset that sets the password when triggered.

Step 2: Define Windows Host Assets

  1. Create Windows Host assets for each host that uses dependent services, tasks, or application pools with the shared domain account.

Step 3: Assign the Windows Update Dependencies Script

  1. Add the Windows Update Dependencies script to each Windows Host asset's task list.

    This task can be added individually to each asset or centrally to a shared Asset Type, which is then used by all relevant Windows Host assets.

Step 4: Associate the LDAP User with Windows Host Assets

  1. Add the previously created LDAP User asset as a member asset to each Windows Host asset.

    This member asset association is typically created during the import process from Microsoft Active Directory, where a single domain account is linked to multiple host assets.

With this configuration in place, each time the application rotates the credentials of the LDAP User account, it automatically propagates the updated password to all dependent services, scheduled tasks, and application pools on the asset endpoints where the LDAP User asset is assigned as a member.

How Domain Service Credential Rotation Works

  1. The application initiates credential rotation for the shared domain (LDAP User) account, either on a predefined schedule or manually.
  2. The LDAP Administrator (shadow account) sets a new password for the LDAP User.
  3. After successful password rotation, the application identifies all Windows Host assets that include the LDAP User as a member asset.
  4. For each of these assets, the application checks for the presence of the Windows Update Dependencies task. If the task is available, it is scheduled for immediate execution with the LDAP User asset as a parameter.
  5. The Windows Update Dependencies task uses the updated password from the LDAP User asset to update all services, scheduled tasks, and application pools running under that account on the respective host.