Password management is a common IT support issue that creates problems for many organizations. Password management can be divided into two categories. The first category is normal user accounts, for day-to-day activities by normal users. The second category is privileged accounts, such as background applications and server administration accounts, managed only by IT administrators.
Regular user accounts usually cause a lot of routine work for the IT help desk, because users tend to forget passwords and accidentally lock their accounts, and they call support for help, which can use up a lot of time. Privileged accounts are managed by very thorough IT guys, but they can also cause a lot of worries and headaches because of their shared nature. One privileged account is usually managed by multiple admins, and each admin usually has multiple accounts, creating complex relationships to keep in mind.
Privileged accounts fall into two types: service and administrative. Privileged service accounts run services and other background applications. Privileged administrative accounts are used for managing servers. A local Administrator account is an example of a privileged server management account.
Every IT team needs many privileged passwords for managing servers and applications. It's a common situation when a group of servers is managed by several different administrators, and proper account maintenance requires close cooperation between them. Password changes may cause unexpected effects, such as account lockouts, if not properly communicated to all team members.
In the following example (see picture), Joe and Bill manage two servers each, one of them shared. One day Bill comes to work and decides to change the service password because it's going to expire today. He changes that and updates his two managed services. He is happy! And guess what happens next? Yes, he's just broken the Exchange server managed by Joe, and not only that, he's locked out the shared service account, because the Exchange is still running with old credentials.
Another example is a local Administrator account. Now what if Joe, getting back at Bill, resets the local admin password for SQL1 and says nothing to Bill? How can Bill now access this shared server? That's a good revenge?
To address privileged password management issues, Netwrix designed a product called Privileged Account Manager. Once the product is deployed, all privileged password management takes place from a central server, accessible from a Web browser. Administrators never update passwords directly, but rather go through a management console, which ensures the proper workflow. All you have to do is specify a list of managed servers once for each account. Then, when someone from your team changes a password, the product goes through all of your servers and updates automatically discovered services. You may even remove administrative permissions from your normal accounts to prevent inadvertent changes and let Privileged Account Manager take care of your service accounts.
Note: if you are looking for password management of regular user accounts, please visit Netwrix Password Manager home page.