Skip to main content
Skip table of contents

Remote Password Rotation

The Remote Password Rotation functionality allows you to automatically change the passwords of the corresponding privileged user accounts at a specified frequency, as well as manually, at any time.

Remote Password Rotation can only be enabled for Active Directory account, Windows account, Unix account (SSH), and MS SQL account secret types, and by a user with the Owner permission for the secret.

[For the Windows account secret type only:] The following preconditions need to be met on the remote computer where the Windows account is located (i.e. on the computer that the secret connects to by using the Ekran System Connection Manager):

•  On computers running the Windows 11 and Windows 10 desktop operating systems:

- Remote UAC must be disabled.

- The Remote Registry service must be running.

Make sure that the local security policy is configured correctly.

Make sure that the password settings for the account are configured correctly.

In the firewall, the following rules must be enabled:

- Remote Service Management (NP-ln).

- Remote Service Management (RPC).

Also, on the computer where the Ekran System Application Server is installed, the EkranServer service must be run under any user account other than the LocalSystem account.

NOTE: Remote Password Rotation is only available for local administrator accounts.

To configure Remote Password Rotation for the account that users will access by using a secret in the Ekran System Connection Manager, open the Password Management section, and then click anywhere on the required Active Directory account, Windows account, Unix account (SSH), or MS SQL account secret. In the Edit Secret pop-up window that opens, on the Automation tab, select the Enable remote password rotation checkbox and specify how frequently the password will be changed, or click the Rotate Now button to change the password immediately at any time.

NOTE: If Remote Password Rotation ever fails, the secret is marked with the red circular (

) icon next to its name (on the left) in the list of secrets, and the corresponding error event will be displayed on the Health Monitoring page. In this case, subsequent password changes will no longer occur.

To disable remote User Account Control (UAC), do the following:

1. Open the Windows Registry Editor.

2. Locate and select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

3. If the LocalAccountTokenFilterPolicy registry entry does not exist, select Edit > New > DWORD (32-bit) Value, and add the following new values in the fields:

Value name: LocalAccountTokenFilterPolicy

Value data: 1

4. If a LocalAccountTokenFilterPolicy registry entry already exists, right-click it and select Modify in the context menu, then enter “1” in the Value data field, and click OK.

5. Restart the computer.

To make sure the local security policy is configured (so that the account will never be locked out), do the following:

1. Press Win+R, then enter secpol.msc, and click Enter.

2. In the Local Security Policy window that opens, select the Security Settings section (on the left).

3. Open Account Policies, and select Account Lockout Policy.

4. Double-click on the Account lockout threshold policy (on the right) to open the settings Account lockout threshold Properties window.

5. Make sure that the value specified in the Account will lock out after field is “0” to disable account lockout, and click Apply and then OK to save any changes made.

To make sure the password is configured to never expire, do the following:

1. Press Win+R, then enter lusrmgr.msc, and click Enter.

2. In the Local Users and Groups (Local) section, select the Users section.

3. Right-click on the user required, and select Properties.

4. On the General tab, make sure that the Password never expires checkbox is selected, and then click OK.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.