Managed admin accounts - PS password rotation frequency

Managed Account settings can be set by creating Smart Rules or by manually adding a Manage Account. To add settings there are two ways:  Edit Smart Rule and Edit the Managed Accounts. If there is an Onboarding Smart Rule for the Managed Account, you should change the setting there rather than editing the managed account as the Smart Rule will overwrite the manual Managed Account change. You can use the change password frequency account setting. Refer to KB0019450.

The smart rule does not allow for anything less than “everyday”, nor am I able to pick anything less than “everyday” in the Edit managed accounts section.  Is 24 hours the minimum time a password can be rotated, unless you also use “change password after release” option?

screenshot from smart rule

screenshot from edit specific user in Managed accounts

Is 24 hours the minimum time a password can be rotated, unless you also use “change password after release” option?

Yes, 24 hours would be limitation based on Smart Rule configuration options. Is there a particular reason why you do not rotate upon release?

In most circumstances, we would recommend credential rotation to happen after every use. If nobody is using the password (directly or programmatically), then the password remains unknown/not consumed, which leads me to wonder why rotation at shorter intervals would be necessary. In other words, I’m curious as to why it’s preferred to rotate on shorter (4-6 hour) intervals instead of every 24 hours (at a minimum) + upon every release?

At worst case scenario you could do it using the Password Safe API endpoints and create a script to be automatically run every few hours or so, to change the accounts passwords

But like everyone said the “change password after release” it would be the best option.