Adding an Active Directory Account Secret
To add a new Active Directory Account secret, do the following:
1. Log in to the Management Tool.
2. Click the Password Management navigation link on the left.
3. On the Secrets tab, click the Add Secret button in the top right of the page, and the Add Secret pop-up window will open.
4. On the Secret Properties tab, in the General section at the top, do the following:
• Enter a unique name for the secret.
• Select the Active Directory account secret type from the drop-down list.
• Optionally, enter a description for the secret.
5. In the Account section below, define a computer which users will access using the Ekran System Connection Manager:
• Select the Active Directory domain that the computer belongs to from the drop-down list.
• Select the user’s login name for which a connection will be established from the drop-down list.
• Enter the user’s password.
6. On the Automation tab, to configure automatic remote password rotation for the account which the Active Directory user will access using the Ekran System Connection Manager, select the Enable remote password rotation checkbox and specify how frequently the password will be changed.
NOTE: If the password change ever fails, the secret will be marked with the
icon next to it on the left in the list of secrets, and the corresponding error event will be displayed on the Health Monitoring page. In this case, subsequent password changes will no longer occur.
7. On the Security tab, you can enhance security by enabling the Password Checkout functionality, so that only one user can use the secret at any given time:
• Requires check out: Select this checkbox to enable the feature, so that only one user can exclusively check out the secret's password (i.e. log in to the secret) at any given time.
• Change password on check in: Select this checkbox for the password to be rotated every time the secret's password is checked back in (i.e. every time a user logs out / is logged out of the secret).
NOTE: The “Change password on check in” checkbox is completely independent to the “Enable remote password rotation” checkbox (on the Automation tab - see above), so they can both therefore function at the same time without affecting each other.
• Check in automatically after: Select this checkbox to specify a time period, after the expiry of which the secret's password will be automatically checked back in (i.e. after which the current user of the secret will be forcibly logged out).
NOTE: The “Check in automatically after” checkbox is completely independent to the “Allow access without approval during work hours” checkbox (on the Restriction Types tab - see below), both of which can therefore function at the same time, in which case the user will be automatically logged off at whichever time period expires first.
• Force Check In: After adding the secret, while editing it later, this button can be clicked at any time to manually check the secret's password back in (i.e. to forcibly log the current user out of the secret) immediately.
8. On the Permission tab, click the Add button, and in the drop-down list that opens, search for and select the users and user groups that you want to grant permissions to, then click Add, and next to each user or user group, select the permission to be granted to them.
9. On the Restriction Types tab, to configure the access restrictions for users to access the secret, do the following:
• Select the required option:
- Access without any restrictions: If this option is selected, users will be able to access the secret without any restrictions.
- Always require approval on secret usage: If this option is selected, users will require approval when they attempt to access the secret.
- Allow access without approval during work hours: If this option is selected, specify the work hours, date range, and days of the week when users will be able to access the secret without approval.
• Users Who Can Approve Access: Select the users (i.e. Approvers) who will be able to approve requests by users to access the secret.
• Owners or Approvers also require approval: Select this checkbox to also require approval (e.g. by the default admin user) for Owners and Approvers to access the secret.
NOTE: Approvers receive notifications by email and can approve access either by clicking the link in the email or by way of the Management Tool (see the Access Requests section).
10. Click the Save button in the bottom right of the Add Secret pop-up window.
11. The secret is now added.