Hi, I have a use case in place that works fine using Dedicated Account feature, but it covers only 25 accounts. Now my customer wants to expand this for around 5,000 users. Have you guys seen a use case with 3,000 - 5,000 Dedicated Accounts in Password Safe? Does it work fine or I should consider anything.
Page 1 / 1
Hi, I have a use case in place that works fine using Dedicated Account feature, but it covers only 25 accounts. Now my customer wants to expand this for around 5,000 users. Have you guys seen a use case with 3,000 - 5,000 Dedicated Accounts in Password Safe? Does it work fine or I should consider anything.
Hey
Some considerations though you should take is Domain Controller replication timing, Domain Controller count, Resource broker count, and frequency of password rotation.
These will all play a vital part into the end user experience of managing thousands of accounts.
I can expand some more on these topics if you want, just let me know.
wonderful - appreciate.
If you could expand more with me I would appreciate it.
If you could expand more with me I would appreciate it.
absolutely!
because of domain controller count and the replication timing, the more accounts you manage the more calls have to be made. Higher DC count and slower replication time, cause checking in the accounts to take longer for the new passwords to replication out to all of the domain controllers. Which in turn can often cause end users to become frustrated that their accounts are not working on some systems they are attempting to access. At the same time the password rotation work is being done by the resource brokers, so the more resource brokers you have the faster the system can churn through the workload. I know BeyondTrust themselves has a formula to indicate how many resource brokers to how many accounts you have. However, if all accounts are routinely resetting at the same time you will see congestion in the system. More accounts + less resource brokers = more congestion due to the increased workload.
If you have 3,000 dedicated accounts rotating daily when not in use this increases the load, however, if you stretch these to rotating across 30 days when not in use the congestion drops dramatically while still maintaining a secure environment when using 16+ character passwords.
If there is something still unclear or you want more information on a specific section, please let me know which and I will try to expand even further.
Thats fantastic explanation. I really apprecite it
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.