Skip to main content

Secret Server/Vault: Set up Service Accounts

  • August 28, 2025
  • 1 reply
  • 60 views
B
Forum|alt.badge.img+3

Required Active Directory User Accounts

Active Directory Password Changer

Suggested AD User account name to use: SS_AdPwc.svc

AD-based service account – gMSA cannot be used.

gMSA cannot be used because AD manages the associated password. Secret Server requires this account to be entered as a vaulted secret, and as such, manages the password of this account. If AD were to manage the password of this account, then Secret Server Cloud vault would not have access to the account's password and would be unable to both vault the credential nor use it for required functions.

Purpose of this service account

This account is used by the Delinea Vault – Secret Server – to change manage and change the password of vaulted accounts. Domain Admin Protected Accounts can be managed following the Setting Delegate Control Permissions for Protected Accounts section.

 

Windows Server Local Account & Service Discovery & Password Changer

 

Suggested AD User account name to use: SS_WinLocDsc.svc

AD-based service account – GMSA cannot be used.

This account is managed as a secret in Secret Server Vault. The secret is shared with the Discovery process, where it is leveraged on the remote Windows servers.

Account Permissions for Discovery - Windows Services, Scheduled Tasks and App Pools

  • Follow documented steps ‘Windows Services, Scheduled Tasks, App Pools, and COM+ Applications
  • Steps 1-9 (sub-steps A – E) – Skip 10, but add to 11.

Purpose of this service account: 

This account is used by the Delinea Vault – Secret Server – to discover and change manage local accounts on Windows servers, as well as discover & act as a Dependency Changer – i.e., Windows services, scheduled tasks, IIS App Pools, and COM+ applications running under AD User accounts

 

(PCS Only) PCS Command Relay Service Account

 

Suggested AD User account name to use:  SS_PCSCmdRly.svc

AD-based service account – this account manages your domain so the proper administrative policies can be applied the servers via Active Directory.

Required permissions of the Command Relay account.

Thanks to Delinea PS Consultant David Rose for sharing this information!

    1 reply

    S
    • shaun.perkin
    • IAM Security Manager
    • October 13, 2025

    Service Accounts have been created and are being used by our SSC subscription - Completed

      Terms & ConditionsCookie settingsAccessibility statement