Shared Accounts are accounts that are used by more than one application. An example is the Windows Domain account used to run the ForestSafe Service. This account is shared between the Windows Domain and the Windows Service on the application server i.e. the password is stored in 2 different places. When the domain account password changes, the service will not restart unless the Windows Service passwords are also updated.
The above example show the management of the hub/forestsafeservice domain account which is being used by the ForestSafe service on SERUATDEV01. It is being synchronised in both locations.
A Shared account policy consists of an Account Name and the Systems Types to which it applies. This is one to many relationship.
|
System Type |
Mandatory Fields |
Discretionary Fields |
|
Domino/Notes Logon |
Target = Computer name Parameter = FullPathName/IDFILE |
None |
|
Oracle Logon |
Target = Computer name Parameter = Database name (e.g. XE) Additional = Port no (Default 1521) |
Additional |
|
SAP CCMS/SLD Account |
Target = Computer name Parameter = System (e.g. 00) Additional = Client (e.g. 001) |
None |
|
SharePoint Managed Account |
Target = Computer name Parameter = Port Number (Default 5985) Additional = Client (e.g. 001) |
Additional |
|
Windows Domain Account |
Domain name |
None |
|
Windows Local Account |
Target = Computer name |
None |
|
Windows Service Account |
Target = Computer name Parameter = Service Short Name |
Domain name |
|
Windows IIS Pool Identity Account |
Domain name Target = Computer name Parameter = Application Pool name |
Domain name |
|
Windows Task Scheduler |
Target = Computer name Parameter = Task name |
Domain name |
|
SQL Server Logon |
Target = Computer name Parameter = Instance Name* |
None |
|
Windows MS SQL Start up Account |
Target = Computer name Parameter = Instance Name* |
Domain name |
|
UNIX Local Account |
Target = Computer name |
None |
*Instance name is the MS SQL Instance name only. E.g. SERHUBSQL04\FORESTSAFE,1691 has Instance name = FORESTSAFE,1691
All the System types that deal with Windows systems (Apart from Domain and Local) will manage both Domain and Local accounts used within the applications, and the Domain name is discretionary. To indicate the account is local to the system, leave the Domain field blank.
Default port used by MS SQL Server is 1433, DB2 is 5000 and Oracle is 1521.
When managing Lotus ID files, if the managed ID file password is synchronised with the password of a local logon account, then Lotus will trust the user logon and not prompt for password.
In every case when managing Lotus ID files, and an arbitrary account name must be given to ForestSafe represent the ID file.
When an account is managed by both Local Policy and Shared Policy, the Shared Policy takes precedent and Local Policy skips setting the password for that account.
If the following example, the local Windows CommonAdmin01 account has been managed by both Local and Shared Policy. The Dashboard will show OKAY for the workstation that has the account, and it will also show as OKAY in the Shared account chart.
However, clicking the Local Policy OKAY segment and checking the last results for the workstation shows:
00:08:43 OKAY Skipping Delete User
BuildAdmin01
00:08:43 SKIP Scramble User
CommonAdmin01 on WRKHUB0002 (Shared Account Policy is managing this account)
00:08:44 OKAY Scramble User WorkAdmin01 on WRKHUB0002 (The operation completed
successfully.)
00:08:44 OKAY Successfully applied policy
The entry for CommonAdmin01 on WRKHUB0002, shows it as skipped.
And clicking the Shared Account Policy OKAY segment and checking the last results for the Local account shows:
00:03:44 OKAY Scramble User CommonAdmin01 on wrkhub0002 (The operation completed successfully.)
