Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1877
Views
10
Helpful
3
Replies

Chaging UCCE Service account passwords

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni

‎03-23-2018 04:29 PM - edited ‎03-15-2019 06:36 AM

Hi Team,

Due to security compliance, I need to change the service accounts for all our UCCE components. Logger, router, distributor and the sql server agent service accounts.

I understand that I can use SAM to change these passwords, however I wanted to know if there is any other thing to consider before doing this. Is this just as straight forward as changing the password on the service account manager or there is more than meet the eye.

How about the sql service accounts? What is the best way to change this?

Is there any impact to services while these accounts are changed..

 

Thank you

Please rate all useful posts
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Omar Deen
Spotlight
Spotlight

‎03-23-2018 05:26 PM

Yes, it's straight forward when updating the account via the SAM. If these are accounts that were created before, then a simple update and cycle of the service is the way to go. If the current accounts are ones that were created by the CCE software, you'll want to go into Web Setup, select your component and at the last page you'll be given an option to either Re-create the Service Account or Do not modify Service Account. If you're using accounts that were not created by the system, then make sure Do not modify Service Account is selected.

 

For the SQL Service accounts, are you talking about SQL user accounts where you can assign privileges to databases or are you talking about the actual SQL Service service itself? Either way, that's straight forward as well, but with the user accounts, you'll want to update it where it's being used (e.g., ECE, CUIC, Finesse, etc...)

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Omar Deen
Spotlight
Spotlight

‎03-23-2018 05:26 PM

Yes, it's straight forward when updating the account via the SAM. If these are accounts that were created before, then a simple update and cycle of the service is the way to go. If the current accounts are ones that were created by the CCE software, you'll want to go into Web Setup, select your component and at the last page you'll be given an option to either Re-create the Service Account or Do not modify Service Account. If you're using accounts that were not created by the system, then make sure Do not modify Service Account is selected.

 

For the SQL Service accounts, are you talking about SQL user accounts where you can assign privileges to databases or are you talking about the actual SQL Service service itself? Either way, that's straight forward as well, but with the user accounts, you'll want to update it where it's being used (e.g., ECE, CUIC, Finesse, etc...)

0 Helpful

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni
In response to Omar Deen

‎03-23-2018 06:08 PM

Thanks Omar. Can you please clarify what you mean by if there accounts were created before? Do you mean accounts created in AD for these services? How would I know if they were created by CCE software or created before as you mentioned since I didn't setup the sysem initially..

Please rate all useful posts
0 Helpful

Go to solution
Omar Deen
Spotlight
Spotlight
In response to Ayodeji Okanlawon

‎03-23-2018 07:29 PM

Ayodeji, the quick way to find out is by opening up Service Account Manager and looking at the actual Service Logon Account Name, which should be something like DOMAIN\USERNAME. Best practice (in my opinion) is to have the AD team create you service accounts for Logger A/B and Distributor A/B and you should easily tell by the format of the username based on the customers nomenclature. If it's system generated, you'll still see DOMAIN\USERNAME, but the beginning of the username will have this kind of format: DOMAIN\InstanceName-Service-SixCharacters. So an example of this would be...

Domain = Cisco.com

InstanceName = PROD

Service = LoggerA

CISCO.COM\PROD-LOGGERA-D483F2

 

You can actually confirm this by searching for that username. If it's system generated, you'll always find the accounts in AD Users and Computers under Cisco_ICM\FacilityOU\InstanceOU ... and the name you'll see in the InstanceOU is going to be some long name, and what you're actually seeing is the username of the UPN format or display name. So going back to our example...

SAM Account = PROD-LOGGERA-D483F2

UPN User = FacilityInstanceServiceHOSTNAME

So let's say our Facility Name is PROD11 to represent a production environment for version 11 and the hostname that LoggerA runs on is named BOSCCMROGGER01. So the UPN User would be PROD11PRODLoggerABOSCCMROGGER01.

A customer who has an AD team that knows what they're doing will likely have something like Svc_LoggerA and have an OU that holds all service accounts for the domain.

Hope this helps!

Customers Also Viewed These Support Documents