Remote Password Rotation


Remote password rotation allows you to automatically change the passwords of the corresponding privileged user accounts after a specified time period, or manually at any time.

Password rotation can only be enabled for Active Directory, Windows, Unix (SSH), and MS SQL secrets by a user with the Owner permission.


For Windows account secrets, the following preconditions need to be met:

Remote UAC must be disabled on Windows 10.

• The firewall must be turned off for domain (i.e. workplace) networks on the computer which users will access using the Ekran System Connection Manager.

• The EkranServer service must be run under any user account other than the LocalSystem account.

NOTE: Remote password rotation is only available for local administrator accounts.


To configure remote password rotation for the account which users will access using the Ekran System Connection Manager, click the Password Management navigation link on the left, and then click anywhere on the required Active Directory, Windows, Unix (SSH), and MS SQL secret. In the Edit Secret pop-up window that opens, on the Automation tab, select the Enable remote password rotation checkbox and specify how frequently the password will need to be changed. If you want to change the password immediately, click the Rotate Now button.

NOTE: If the password change ever fails, the corresponding secret will be marked with the  icon in the list of secrets, and the corresponding error event will be displayed on the Health Monitoring page. The next scheduled password change will not take place either.


To disable User Account Control (UAC), do the following:

1. Open the Windows Registry Editor.

2. Locate and select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

3. If the LocalAccountTokenFilterPolicy registry entry does not exist, select Edit > New > DWORD (32-bit) Value and add the following new values in the fields:

• Value name: LocalAccountTokenFilterPolicy

• Value data: 1

4. If a LocalAccountTokenFilterPolicy registry entry already exists, right-click it and select Modify in the context menu, then , enter “1” in the Value data field, and click OK.

5. Restart the computer.