Administrator Guide

ManualsBrandsDell ManualsCloudLink SecureVMHybrid Cloud System for Microsoft

111

112

113

114

115

116

117

118

119

120

Resetting service account passwords

This section describes how to rotate service account passwords by using the password reset script. It is important that you do this rotation

before service account passwords expire. Password expiration is controlled by your domain password policy settings. The Operations

Manager alert for password expiration is raised 14 days before passwords expire.

IMPORTANT: If service account passwords do expire, contact Dell Support. Do not try to recover from this situation without

guidance.

How service accounts are managed

Dell Hybrid Cloud System for Microsoft includes a password reset script that you can use to change passwords for the following service

accounts:

• <Prex>-Fabric

• <Prex>-System

• <Prex>-SVC-SQL

• <Prex>-SVC-VMM

• <Prex>-SVC-OM

• <Prex>-SVC-SPF

• <Prex>-SVC-SMA

It is recommended that you run the MCPasswordReset script to reset the passwords for these service accounts whenever you are alerted

to do so by System Center Operations Manager. These accounts are described in User accounts and groups that are added by default.

IMPORTANT

: Read this entire section before you run the script.

Starting with the Microsoft update version 1603A, the Operations Manager alert for password expiration is raised 14 days before passwords

expire, rather than three days as in previous releases. To view remaining time before the next password expiration without waiting for an

alert, run the following command in Windows PowerShell on the Console VM:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties

"DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property

"SAMAccountName",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-

UserPasswordExpiryTimeComputed")}}

For each account, the MCPasswordReset script does the following:

• Automatically generates a new password.

• Updates the credentials that are stored in SMA with the new password.

• Changes the password for each account in AD DS.

• Each runbook that is run by the MCPasswordReset script also updates the passwords in related management components. This

includes the Windows services and the Run As accounts, and all local passwords that are required by the Windows Azure Pack portals

for administrators and tenants.

Important information about the password reset script

Keep the following points in mind about the MCPasswordReset script:

• The MCPasswordReset script is fairly disruptive. It restarts many services, and results in some downtime of management infrastructure

components. Consider running it within a planned maintenance window.

• The MCPasswordReset script works when all Dell Hybrid Cloud System for Microsoft infrastructure VMs and services are running

normally (that is, not in maintenance mode), and Dell Hybrid Cloud System for Microsoft service account passwords described at the

118

Security