Active Roles

Service Account management?

Can the Active Roles service account be managed by a PAM solution?

  • If that PAM solution wants to change that service account's password, this could have ramifications on the availability of the ActiveRoles administration service should this service need to be restarted. If the PAM solution can manage that - i.e. update the password configured in the Admin Service windows service, then I don't see any reason why you couldn't manage it that way.

    The other consideration here though is whether or not AR is configured such that the service account is being used by AR to perform changes in Managed Domain(s) (i.e. no separate override account). If this IS the case, then I would say that having a PAM solution manage it could be very problematic due to the likelihood of on-going password changes by the PAM solution.