You can reset passwords for access accounts that are used to manage a domain, secondary server, Exchange, or Azure tenant from DRA. If the password for any of these access accounts is due to expire or if you forget the password, you can reset the password for the access account in the following ways:
Reset the password manually in the Delegation and Configuration Console.
Schedule a job to monitor password expiration for access accounts and reset the password for access accounts that are due to expire.
You can reset the password for access accounts from both the primary server and secondary server. If the same access account is used at multiple instances in the same domain, for example, to manage an Exchange mailbox or a secondary server, the DRA server automatically updates the password for all instances of the access account usage, thus eliminating the need for manually updating the password for each instance. If the secondary Administration server uses the domain access account of the primary Administration server, the DRA server automatically refreshes the password for the access account in the secondary Administration server.
Use the Delegation and Configuration Console to manually reset the password for an access account.
To manually reset the password for an access account:
In the Delegation and Configuration console, click Configuration Management.
Select a managed domain or an Azure tenant and view properties.
On the properties page, specify the following information:
To update the password for a domain access account, in the Domain access tab, specify a new password for the domain access account. Select Update password in Active Directory.
To update the password for an Exchange access account, in the Exchange access tab, specify a new password for the Exchange access account. Select Update password in Active Directory.
To update the password for an Azure tenant access account, in the Tenant access tab, specify a new password for the tenant access account. Select Update Azure tenant access account password.
To update the password for an access account for a secondary Administration server, select Configuration Management > Administration Servers in the primary Administration server. Select the secondary Administration server for which you want to update the password, right-click and select Properties. In the Access account tab, specify a new password for the access account. Select Update password in Active Directory.
NOTE:
Ensure that the access account of the secondary Administration server is not the service account of the secondary Administration server. The access account must be a part of the Local Administrators group on the secondary Administration server.
If you use the least privilege account as the access account, ensure that the account is assigned the “Reset Password” permission for itself in Active Directory for the password reset to be successful in DRA.
You can schedule the Reset Password job to run at a predefined interval to reset expiring passwords for your access accounts. The job will reset any access account passwords that are due to expire before the next time the job is scheduled to run. A new password will be automatically generated according to the password policy.
The job is disabled by default. You can schedule the job once a week or at a specific interval, according to your requirement. In an MMS environment, if you configure the job on the primary server, ensure that the job is configured on all servers in the MMS.
To configure the job:
On the server that you want to schedule the job, go to the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mission Critical Software\OnePoint\Administration\Modules\Accounts\UpdateAccessAccPWD.Freq.
Right-click and select Modify.
In the Value data field, specify the frequency at which you want the job to run.
To schedule a weekly job, specify the frequency in the format Weekly <Day of the week> <Time in 24-hour format>. For example, to schedule the job to run every Saturday at 6.00 PM, enter:
Weekly 06 18:00
Where 6 indicates the day of the week and 18:00 indicates the time in the 24-hour format.
To schedule the job to run at a specific interval, specify the frequency in the format Interval <Time in 24-hour format>. For example, to schedule the job to run every 8 hours, enter:
Interval 08:00
It is recommended to schedule the job to run on weekends.
NOTE:The Reset Password job does not support daily frequency. If you configure daily frequency, DRA Server automatically resets the schedule to Weekly 06 00:00 when you restart the DRA Administrative Service.
Click OK.
Restart DRA Administration Service for the changes to take effect.
NOTE:For each Azure tenant configured, the job creates the following registry key for the default password policy with a validity of 90 days: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mission Critical Software\OnePoint\Administration\Modules\Accounts\<tenantName>.ValidityPeriod. The password expiry date for the tenant access account is calculated based on the validity period for the tenant. When the password is due to expire, the job resets the password for the tenant access account.