I'm looking for guidance on how to effectively change service account passwords for both on-premises and cloud-based setups. The goal is to learn how to document this annual task to minimize downtime. I don't have clear information about which services are linked to which accounts, nor do I understand the process for updating passwords for specific services or where they are hosted. When documenting steps for someone else to follow, I'd like to include a point of contact for each account, a grace period for notifying users so they can familiarize themselves with entering the new password, and a way to verify that all services are functioning properly after the change. Any advice would be greatly appreciated—even as a relatively new Junior Sys Admin!
2 Answers
I recommend looking into using Group Managed Service Accounts (gMSA). Microsoft handles password rotation automatically for you which takes a lot of the manual workload out of it. It helps ensure that passwords stay secure without the hassle of frequent changes.
We've been there before! Initially, we followed a policy where we’d change all service account passwords every year, but eventually it became a mess with too many passwords to track and various operational issues. Now, we've opted to go with the CIS recommendation of not changing passwords unless absolutely necessary, especially for service accounts. It might be worth considering to avoid potential downtime.
Absolutely! The automatic rotation feature is a game changer—saves you from having to manage it manually.