Enterprise Administration Guide › Planning Your SAM Implementation › Password Consumers

Password Consumers

Password consumers are applications, Windows services, and Windows scheduled tasks that use privileged accounts and service accounts to execute a script, connect to a database, or manage a Windows service, scheduled task, or RunAs command. Service accounts are internal accounts used by Windows services. For example, Windows services may use the NT AUTHORITY\LocalService service account to log in to the operating system.

Password consumers let you remove hard-coded passwords from application scripts and enforce a password policy on an endpoint. For example, you can create a password consumer for each scheduled task on a Windows endpoint, and specify that each password consumer uses the same password policy. SAM will then change the password of each scheduled task at the interval specified in the password policy.

SAM provides privileged account passwords to password consumers in the following ways:

• On demand—When a password consumer sends a request for a privileged account password, for example, when a privileged account uses ODBC to connect to a database that requires authentication.

  Note: You must install CA ControlMinder on the SAM endpoint with the SAM Integration feature enabled to use password consumers that get passwords on demand.

• On password change—When a password change event occurs for the password consumer in CA ControlMinder Enterprise Management, for example, when a password policy specifies that the password for a service account must change after a fixed length of time.

  Note: You do not need to install CA ControlMinder on the SAM endpoint to use password consumers that get passwords on password change.