This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 53%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Hi,
I have gone through this MS article. Here one account mentioned that break glass account, can you please tell me how to configure this break glass account in active directory with each steps.
https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @Khushi
This is a domain admins account whose password never expires and which should be available in case of emergency and in case the other domain admins accounts are unavailable or when the trust betweed bastion is broken
The password for this account should be saved in a safe because it's a critical account.
Please don't forget to accept helpful answer
can you please provide each step of the break glass configuration?
Just create a account member of domain admin’s group and save the password in safe location (you can use keepasse tools for example)
check the option password never expires in account properties. This option let you to avoid password expiration if you forget to reset it for a long time.
Don’t forget to reset the password regularly and choose a complexe password.
Please don’t forget to accept helpful answer
Hi, thanks for information. but I want to know in more details. As I found one ms article for Azure AD, where mentioned in detail including the configuration. I am looking similar article for on-premises AD.
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access
Hi @Khushi
Unfortunately there is no Microsoft article talking
Break Glass account for Active Directory but I found this article should help you:
[https://hipaa.yale.edu/security/break-glass-procedure-granting-emergency-access-critical-ephi-systems#:~:text=Break%20glass%20(which%20draws%20its,to%20gain%20access%20when%20necessary.](https://hipaa.yale.edu/security/break-glass-procedure-granting-emergency-access-critical-ephi-systems#:~:text=Break%20glass%20(which%20draws%20its,to%20gain%20access%20when%20necessary.)
Based on my experience Some customers prefer to use the built in administrator to avoid create multiple domain admin accounts.
Please don’t forget to accept helpful answer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 90%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
hello,
I just did an Active Directory Security Assestment and one of the high critical point is to dont have any privileged administrative account with the password set as never expires.
honestly I dont understand what to do.
the recommendation is:
"Title
Configure administrative accounts for password expiry
Recommendation
One or more administrative accounts are not configured to expire their password. Administrative accounts that are never required to change their passwords represents a major security risk, because this allows a compromised password to be used by a malicious user for as long as the valid user is authorized access.
Suggested Actions
Every privileged account must have its own unique password and should be configured to change at a regular interval that is suitable for your organization’s business requirements.
Use the Active Directory Administrative Center to check the Account pane in the Properties for the administrative account, and under Account Options, clear the Password never expires check box.
To apply these settings as the default across multiple accounts, use Group Policy Management Editor (GPME) to open the Group Policy Object (GPO) that contains the relevant password policy (such as the Default Domain Policy).
In GPME, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy.
Ensure that the Maximum password age policy setting is defined.
Note that if fine-grained password policies are being used, the default domain policy may not affect all accounts; in such cases, you should also therefore check the password settings in these fine-grained password policies.
There should be no impact in requiring passwords to expire. However, the use of this setting may suggest that the configured accounts are being used as service accounts and therefore, removal of this flag will allow the account password to expire based on domain account policies. This could have impact on services in the environment that run as or need to authenticate these accounts.
Context
N/A
Prioritization Guidance
| Impact | Effort | Probability |
|---|---|---|
| High Impact | Low Effort | Very High |
| High Impact | Low Effort | Very High |
