Lab guide
Remote password changing
LIL0800X
March 2020 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties
in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any
other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All names and references for organizations and other
business institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental.
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds,
owner of the mark on a world­wide basis.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware
vSphere are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are
trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.
© Copyright International Business Machines Corporation 2020.
This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Exercise 1 Explore Remote Password Changing configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
© Copyright IBM Corp. 2020
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
iii
Exercises
In this lab you explore the current remote password changing configuration on a Linux system.
Exercise 1
Explore Remote Password Changing
configuration
You can apply Policy settings related to remote password changing at different levels in Secret
Server:
• Global settings to control the remote password changing feature
• Secret Template level settings
• Secret level settings
• Secret Policy level settings

Before exploring all of the password changing levels, we create two new Windows Admin
accounts to use in remote password changing.
1. On the Secret Server Windows desktop, click the Windows icon.
2. Scroll down, and click Windows Administrative Tools.
3. Scroll down, and click Active Directory Users and Computers.
4. Click Create a New User in the Current Container icon.
© Copyright IBM Corp. 2020
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
1
V7.0
Exercises
Exercise 1 Explore Remote Password Changing configuration
Uempty
5. In the New Object – User dialog box, set First name to Windows, and press Enter to confirm
the value.
6. Set Last name to Administrator4, and press Enter.
7. Set User logon name to winadmin4.

8. Click Next.
9. For both Password and Confirm Password, enter Passw0rd.
10. Clear the User must change password at next logon checkbox.

11. Click Next.
12. Click Finish.
2
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Explore Remote Password Changing configuration
Uempty
13. Double-click the new entry in the Users folder.
14. Switch to the Member Of tab, and click Add.
15. To add winadmin4 account to the Linux Administrators group, in the Enter the object names
to select field, type Linux Administrators.
16. To confirm that you typed the name correctly, click Check Names, and click OK.

17. To save the changes, in the Windows Administrator4 Properties window, click OK.
18. Let’s add another Windows Administrator account. Click the Create a New User in the
Current Container icon.
19. In the New Object – User dialog box, set First name to Windows, and press Enter to confirm
the value.
20. Set Last name to Administrator5.
21. Set User logon name to winadmin5.
22. Click Next.
23. For Password, enter Passw0rd, and set Confirm Password as Passw0rd.
24. Clear the User must change password at next logon check-box.
3
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Explore Remote Password Changing configuration
Uempty
25. Click Next.
26. Click Finish.
27. Double-click the new entry in the Users folder.
28. Switch to the Member Of tab, and click Add.
29. To add winadmin5 account to the Linux Administrators group, in the Enter the object names
to select field, type Linux Administrators.
30. To confirm that you typed the name correctly, click Check names, and click OK.
31. To save the changes, in the Windows Administrator5 Properties window, click OK.
32. To confirm that you added two new accounts to a Linux Administrators group, double-click the
Linux Administrators group, switch to the Members tab, and ensure that the two new
members are listed, then click OK.

33. Close Active Directory Users and Computers.
You created two new Windows administrators. Now you need to discover them.
34. Open the Firefox browser from the task bar, and log in to the Secret Server console by
selecting admin as a Username.
Note: Password (Passw0rd) is prepopulated, leave Local as a Domain.
35. Click Login.
36. Hover over the ADMIN menu item and click Discovery.
37. On the Discovery Configuration, click Discovery Network View.
38. Select iamlab.ibm.com and the Domain Accounts tab.
39. Scroll down.
4
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Explore Remote Password Changing configuration
Uempty
Two new accounts are not there yet.
40. Click Back, and in the Status Messages part of the page, on both the Discovery and Computer
Scan tabs, click Run Now.
Note: The discovery process might take some time. Proceed with looking at the system
configuration. Discovery should complete by the time you want to use the new accounts.
41. Hover over the ADMIN menu item and click on Remote Password Changing.

This image shows the status of the Remote Password Changing configuration. In this case, it is
enabled, the “password change on check in” is enabled at the global level (that is it can be
turned on for a policy or secret), the default checkout interval is set to 30 minutes, and the
enable heartbeat feature is enabled at the global level (that is it can be turned on for a
policy/secret).
42. Now let’s look at the Secret Template level, for the Active Directory Account Template. 
Hover over the ADMIN menu item and select Secret Templates.
43. On the Manage Secret Templates page, click Edit.
5
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Explore Remote Password Changing configuration
Uempty
Note: Secret Template Name is set to Active Directory Account. 
Expiration is enabled, set to 30 days, and the Expiration Field is Password.
44. Scroll down, and click the Configure Password Changing.
45. On the Secret Template Edit Password Changing screen, click Edit.

On this page, you make the following selections:
• Whether remote password changing can be enabled for secrets with this template
• The retry interval for changing passwords
• The maximum attempts to retry (or unlimited)
• Whether heartbeat can be enabled for secrets with this template
• The heartbeat check interval
Note: In this case “remote password changing” retries every hour for unlimited attempts. The
heartbeat runs every eight hours. If you did not enable remote password changing or heartbeat
in the global settings, the settings here are ignored.
You looked at global settings and settings at the secret template level. 
Next, you look at settings on the individual secrets or at the secret policy level. This is where you
need our new Windows Administrator4 and Administrator5 accounts.
46. Hover over ADMIN and click Discovery.
47. On the Discovery Configuration page, click the Discovery Network View.
6
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Explore Remote Password Changing configuration
Uempty
48. Scroll down. You can now see new accounts listed, select the checkboxes beside both
accounts, and click Import.
49. In the Bulk Operations: Import Accounts dialog box, for Folder, select Windows Systems.
50. As a Secret Type, select Active Directory Account.

51. Click Next.
52. On the Password tab, leave I know the current password. selected and click Next.
53. On the Import Password tab, set Current password to Passw0rd, and click Next.
54. On the Password Changing tab, leave Use Secret Credentials selected, and click Finish.
55. Verify that there are no errors on the next window, and click Close.
The two accounts are now shown as Managed.
56. Scroll up, and select the HOME menu item.
57. In the folder view, select the Windows Systems folder.

58. Select the winadmin4 secret.
7
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Explore Remote Password Changing configuration
Uempty
59. In the expanded section, click View.
60. Look at the General tab for this secret.

For this secret you see the following details:
• The secret is in the Windows Systems folder
• The secret can inherit a secret policy from its folder or folder tree, but there is no secret policy
applied
• Expiration is configured, and the secret expires in 29 days (set to expire every 30 days)
• The heartbeat mechanism is enabled and ran recently
61. Switch to the Remote Password Changing tab.



This view shows that auto changing of passwords for this secret is disabled (and corresponding to this, there are no secrets assigned to use to change the password), but we can use the Change Password Remotely button to force a password change.
62. Click Change Password Remotely.
Note: Secret Server does not allow you to use the same password as the one that is already on
the secret. If you do use the same password, you get a warning message and cannot proceed
until you enter a different password.
63. Set new password to NewPassw0rd and click Change.
You get a confirmation message.

8
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Explore Remote Password Changing configuration
Uempty
64. Click Back.
You see a message that confirms the change was successful.



Now that you have confirmed you can force a password change on request, let’s have a look at how we could enable automatic password changing.
65. Click Edit.



Here you can enable Auto Change – the automatic password changing for this secret. You can specify the Next Password to be applied or leave it blank for the system to generate one. Finally, you can define whether the password will be changed using the current credentials on the secret (equivalent to self-service) or using a defined Privileged Account Credentials. If you select to use Privileged Account Credentials, then you need to select a secret using the No Selected Secret link in the Secrets table.
66. If Auto Change is enabled, it uses the expiration shown in the Expiration tab.
Switch to the Expiration tab for this secret.

67. For this secret, the expiration settings are based on the Secret Template. Click Edit. You can
use the Edit button to override and set a Custom Interval or Custom Date.


68. Close your browser by clicking the X button.
This is the end of the lab.
9
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
© Copyright IBM Corporation 2020. All Rights Reserved.