Requirements
Some organizations configure services on Windows servers to run in the context of a domain-level, rather than local service account. This is mandatory on domain controllers, which have no local security database. This is also common on non-domain controllers, since Microsoft encourages this practice.
In Bravura Security's view, running a service on a member server in the security context of a domain account is not recommended, since the same service account may be used to run many different services on many different servers. This complicates changes to the password of the AD service account, since multiple servers must be notified of the new password. To complicate matters further, some of the servers may be offline or unreachable when the service account password is changed on AD, making it even more complex to notify them of the new password.
In general, Bravura Security recommends that organizations:
Run services on AD DCs as SYSTEM or similar.
Run services on member computers as local, not domain accounts.
The following should also be considered when planning to manage service accounts:
Bravura Security Fabric can only list subscribers on servers that utilize the Windows NT target system type.
A plugin program or script is required to determine which discovered object should be updated when the managed account’s password has been randomized. The program or script is called by the PAMSA SUBSCRIBER NOTIFICATION plugin point and is part of the subscriber notification component.
In order to prepare an account for subscriber orchestration, you need to ensure that the notification is configured for all of the subscribers it runs. This is done by using the SubscriberNotification column of the pam_pwd_randomization_subscriber Manage external data store (DBE) module table.