Remote Password Rotation
Remote password rotation allows you to automatically change the passwords of the corresponding privileged user accounts after a specified time period, or manually at any time.
Remote password rotation can only be enabled for Active Directory, Windows, Unix (SSH), and MS SQL secrets by a user with the Owner permission.
For Windows account secrets, the following preconditions need to be met:
• Remote UAC must be disabled on Windows 11 and Windows 10.
• The EkranServer service must be run under any user account other than the LocalSystem account.
• Make sure that the local security policy is configured correctly.
• Make sure that the password settings for the account are configured correctly.
NOTE: Remote password rotation is only available for local administrator accounts.
To configure remote password rotation for the account that users will access using the Ekran System Connection Manager, open the Password Management section, and then click anywhere on the required Active Directory, Windows, Unix (SSH), and MS SQL secret. In the Edit Secret pop-up window that opens, on the Automation tab, select the Enable remote password rotation checkbox and specify how frequently the password needs to be changed. If you want to change the password immediately, click the Rotate Now button.
NOTE: If the password change ever fails, the corresponding secret will be marked with the icon in the list of secrets, and the corresponding error event will be displayed on the Health Monitoring page. In this case, the next scheduled password change will not take place either.
To disable remote User Account Control (UAC), do the following:
1. Open the Windows Registry Editor.
2. Locate and select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
3. If the LocalAccountTokenFilterPolicy registry entry does not exist, select Edit > New > DWORD (32-bit) Value, and add the following new values in the fields:
• Value name: LocalAccountTokenFilterPolicy
• Value data: 1
4. If a LocalAccountTokenFilterPolicy registry entry already exists, right-click it and select Modify in the context menu, then enter “1” in the Value data field, and click OK.
5. Restart the computer.
To make sure the local security policy is configured so that the account will never be locked out, do the following:
1. Press Win+R, then enter secpol.msc, and click Enter.
2. In the Local Security Policy window that opens, select the Security Settings section (on the left).
3. Open Account Policies, and select Account Lockout Policy.
4. Double-click on the Account lockout threshold policy (on the right) to open the settings Account lockout threshold Properties window.
5. Make sure that the value specified in the Account will lock out after field is “0” to disable account lockout, and click Apply and then OK to save any changes made.
To make sure the password is configured to never expire, do the following:
1. Press Win+R, then enter lusrmgr.msc, and click Enter.
2. In the Local Users and Groups (Local) section, select the Users section.
3. Right-click on the user required, and select Properties.
4. On the General tab, make sure that the Password never expires checkbox is selected, and then click OK.