To do or not to do : Function Account Rotation - domain vs local

Hello!
How do you manage your functional accounts - domain as well as local ?

Domain:

I think it will be easier to manage and enable auto-rotation at more frequent intervals. I think we have to be careful about the managed account rotation while scheduling this. Are there any other risks to availability ?

Local functional account:
This is tricky. e.g. for linux systems we will have a localfa added to Passwordsafe. Its initial password remains constant in passwordsafe - so that it can onboard new systems. What would happen if we enable rotation on it ? The initial password of functional account will remain same so that it can onboard other machines but on existing machines , each system will have its own password for localfa and that same password will be used to rotate its password on schedule? What are the possible risks to Availability in this case ? Is

Page 1 / 1

That´s my question too. Is there a clear document how to onboard around 500 linux server with local FA and Local Scan account

Hi @Higor There are couple of KB articles on onboarding steps and managed account creation without scanning for this type of use cases. Also, I saw a few questions with lot of good responses on this forum around onboarding

It is one of those dilemma things, create one account to manage another seems mute.

Things to consider: