Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

[HOWTO] Using a Multiplexed Account to Manage a Windows Scheduled Task

Privileged Access Service ,  

30 March,20 at 02:27 PM

Windows service and scheduled tasks could pose a significant vulnerability. They are often configured with elevated permissions and stale passwords. This could lead to service outages and a possibility of credential abuse. The recent introduction of the multiplexed account feature in Centrify Privileged Access Service will help to manage the complexity and concerns of service and scheduled task management.
This article will explain the steps that can be used to create a multiplexed account, create a Windows scheduled task and to set that multiplexed account to run that task.

The advantage of this type of setup is that the passwords for the multiplex sub-accounts will not need to be checked out or viewed by anyone. 

Creating the Multiplexed Account

1) To begin, create two user accounts in Active Directory, or have two accounts ready as the multiplexed account relies on two sub-accounts

2) Add the sub-accounts to the admin portal. Go to the admin portal > Resources > Domains > <Domain where the sub-accounts exist> > Accounts > Add

Add the two accounts that were recently created, for example, the accounts are named multiplex1 and multiplex2

User-added image

4) Select one of the accounts and go to the settings menu, make sure that Manage this password is checked. Repeat for the other sub-account. Also make sure that  periodic password rotation is enabled at the domain or global security settings level.

User-added image

5) In the admin portal, go to Resources > Accounts > Multiplexed Accounts and choose Add Multiplexed Account. Give this account a name and add the two sub-accounts. Please note that the accounts that are selected must have the appropriate permissions to run the target service or scheduled task.

User-added image

More info on Multiplexed accounts:

Creating the Windows Scheduled Task

1) Open the Windows Task Scheduler tool, right click the Task Scheduler Library and choose Create Basic Task. For this example we will create a task that will open the notepad application at a specific time of day.

User-added image

2) In the Wizard, give the task a name and an optional description:

User-added image

3) Continue on with the Wizard and fill in the details about the following:
  • When the task should start
  • What action the task should perform
  • If the task will start a program, specify the path to the executable for that program.

4) Once all the preferred settings are in place, finish the wizard and the task should now show in the list of scheduled tasks:

User-added image

5) Double-click on this task and it will be seen that the account running the task is the account of the user who created the task. However, if you try using "change user or group" you will only get the option to specify one AD account, not the multiplexed account, so do not try to change to the multiplexed account here. That will be explained in the next few steps. However, you will first need to set the option to "Run whether user is logged in or not" and a password prompt will display. Please enter the password of the account that was used to setup the task:

User-added image

Adding the Task to the Admin Portal

The last phase of this project is to add this scheduled task to the admin portal. This can be done manually or through discovery. Doing this ensures that the multiplexed account can be chosen to run the task. Below are the steps:

1) Go to Resources > Services and choose Add Service

Fill in the following details:
  • Select the system where the task is running on (also make sure the system where the task was created is added as a resource in the admin portal)
  • In the Service Type drop down, choose “Windows Scheduled Task”
  • In the name field, specify the path to the task, notice that its \notepad. If you are not sure of how to find the path to the task, go back to the task properties in task scheduler and look for the location of the path.

User-added image

2) Scroll down a little further and under Service Password Management, choose a domain administrative account and the multiplexed account. Also make sure to check “Enable management of this service password” so that it looks like the below image:

User-added image

The options for Restart Service when password is rotated will not be available since those settings only apply if the multiplexed account is set to manage a Windows Service.

3) Once you are ready, click on Save and the following message should appear. 

User-added image

4) After choosing Yes go back to the task properties and it will be seen that the multiplexed account is now managing the task. It will show the active sub-account

User-added image

Additional Item to Note:

In the above image, it is seen that the active account is multiplex2. If for some reason that you need to manually rotate the password for this account, you will get an error like the following:

User-added image

If the password needs an immediate rotation due to security concerns, go back to the Admin portal > Resources > Services and find the service that the account is used for and choose Actions > Push Password Management. This will force the alternate sub-account to be the active account for the service and the multiplex2 account can now be rotated. Then repeat this process if the other account needs a manual rotation.

User-added image