Credential Profiles

Credential Profiles simplify the use and management of user credentials in adTempus. Each Credential Profile stores the user ID and password for a single user account. In most cases this will be a Windows user account, but you may also need to store other kinds of credentials, such as the credentials for connecting to a protected Web server.

Instead of storing user IDs and passwords with each object that uses them (for example, in each job that runs under a user account), adTempus stores the information in one place (the Credential Profile) and then stores a reference to the Credential Profile in each object that uses it.

Features and Benefits

Credential Profiles offer several benefits.

Simplified Password Management

If the password for an account is changed, the password only has to be changed once in adTempus, in the Credential Profile. The new password will immediately be used by all jobs that use the profile.

Delegated Account Use for Improved Security

Users can be granted permission to use a Credential Profile without knowing the password for the account.

For example, it is often necessary that jobs be run under user accounts with Administrative privileges, and non-administrative users may need to configure and manage these jobs. Instead of telling these users the password for an administrative account to use on jobs, an authorized Administrator (who knows the account's password) can create a Credential Profile, and grant other users permission to use the profile. These users will now be able to schedule jobs using this account without having access to the account's password.

Simplified Data Entry

Once a user has been granted permission to use a Credential Profile, that user does not have to type in (or even know) the password for the profile. When entering credentials for a new job or other object, the user only has to type the user ID.

Creating and Using Credential Profiles

Generally, Credential Profiles will be created automatically, as needed. In places where credentials need to be specified (such as the User Account box in a job's properties), the user simply types in the user ID for the account. adTempus will then prompt the user for the password and create a new Credential Profile if necessary, as described in the Entering User Credentials topic.

You can also create profiles through the Credential Profiles window.

Managing User Profiles

Authorized users can view and manage Credential Profiles through the Credential Profiles window.

If the password changes for an account, use the Credential Profiles window to edit the associated Credential Profile and change the password in adTempus.

Changing Credentials

If want to change all jobs that use a particular Credential Profile to use a different user account, you can simply change the user name and password in the profile. For example, suppose you have a Credential Profile for the account "corpnet\automation." You have moved the adTempus server to a new domain, and the jobs should now run under account "newcorpnet\autouser." You can make this change by simply editing the Credential Profile and changing the user ID and password. All jobs that use the profile will now use the new credentials.

If you only want to change some jobs that use a Credential Profile to use a different profile (while others will continue to use the old profile), use the Find/Replace References command from the Credential Profiles window.

Group Managed Service Accounts (gMSAs)

Version Compatibility: Server version 4.6 or later Console version 4.6 or later.

Credential Profiles can be created for group Managed Service Accounts (gMSAs). Before you can create profiles for gMSAs you must enable the feature: In the Advanced Server Options window, locate the "UserManager:AllowManagedServiceAccounts" option and change its Current Value to true.

To create the profile, create a new Credential Profile with the proper Domain and with the User ID set to the account name, including the "$" at the end of the name. Leave the password blank.

Be sure to set the permissions for the new Credential Profile to allow the appropriate users to use it on jobs. Because there is no password for a gMSA, users cannot automatically gain access to the Credential Profile by entering the password, as they can with normal Credential Profiles.