Service Accounts
Management Module
A comprehensive training on Delinea's dedicated SAM module β covering automated discovery, intelligent dependency mapping, structured onboarding workflows, and continuous rotation compliance across your enterprise service account estate.
What is the Service Accounts Management Module?
Delinea's SAM module is a purpose-built component within the Privileged Access Management (PAM) platform dedicated exclusively to the lifecycle governance of non-human, machine identities β commonly called service accounts. These accounts authenticate applications, services, scheduled tasks, and integrations across enterprise environments, yet historically lacked the visibility and control applied to human user accounts.
The Core Problem
Service accounts proliferate silently β often created ad hoc, shared across teams, never rotated, and rarely decommissioned. They become the attacker's preferred lateral movement path.
Risk ReductionDedicated Module
SAM is not bolted onto credential vaulting. It is a standalone module with purpose-built workflows, discovery engines, and reporting tuned specifically for non-human identity patterns.
Purpose-BuiltFull Lifecycle
From initial discovery through onboarding, rotation scheduling, and eventual decommissioning β SAM governs the full service account lifecycle without operational disruption.
End-to-EndAudit & Compliance
Every rotation event, approval decision, and policy exception is logged with immutable audit trails satisfying SOX, PCI-DSS, NIST 800-53, and CIS control requirements.
Compliance ReadyKey Differentiator: Dependency Awareness
Unlike traditional vaulting solutions, SAM understands where service accounts are used before rotating credentials. The automated dependency detection engine scans Windows Services, Scheduled Tasks, IIS Application Pools, COM+ applications, and ODBC data sources β preventing outages that have historically blocked rotation programs from launching.
// Knowledge Check
The SAM module operates as a layered system with clear separation between the presentation tier, the orchestration engine, the integration fabric, and the data persistence layer. Click any component below to learn more.
Deployment Models
SAM supports on-premises, cloud-hosted (SaaS), and hybrid deployment models. The Delinea Platform Server acts as the control plane in all configurations.
FlexibleSecurity Boundaries
All inter-component communication is mutually authenticated via TLS 1.3. Credentials in transit are never stored in plaintext; vault operations use HSM-backed key management where available.
Zero TrustHigh Availability
The orchestration tier is stateless and horizontally scalable. Vault nodes support active-active clustering with synchronous replication, targeting 99.99% availability SLAs.
Enterprise GradeWhy Continuous Discovery Matters
Point-in-time manual inventories become stale within days. Delinea's AD Connector maintains a real-time synchronized view of service accounts by monitoring LDAP change notifications, periodic deep scans, and event-driven triggers. New accounts surface automatically; no ticket required to initiate visibility.
AD Discovery Simulator
Change Notification Listening
SAM subscribes to LDAP DirSync and USN-based change notifications, surfacing new service accounts within minutes of creation β not days.
Near Real-TimeMulti-Forest Support
A single SAM instance can monitor multiple AD forests and domains simultaneously, consolidating visibility across complex enterprise topologies including trusts.
Enterprise ScaleAutomatic Classification
Discovered accounts are automatically tagged by type (service account, gMSA, sMSA, computer account) using pattern matching against naming conventions and attribute analysis.
ML-AssistedRisk Scoring
Each discovered account receives a risk score based on last password change date, SPN configuration, delegation settings, group membership, and password-never-expires flags.
Risk-Basedβ οΈ Discovery vs. Management
Discovery surfaces accounts into SAM's inventory with read-only visibility. Accounts are not automatically enrolled for rotation β that requires explicit onboarding through the approval workflow. This ensures operational teams are not surprised by credential changes to unknown accounts.
// Knowledge Check
The Rotation Outage Problem β Solved
The #1 reason enterprises fail to rotate service account passwords is fear of outage. If svc_payments is used by 4 Windows Services, 2 Scheduled Tasks, and an IIS Application Pool β rotating its password without updating all 7 dependency configurations causes immediate failures. SAM's Dependency Detection engine automatically maps all usages before any rotation attempt.
Dependency Map β Click an account to expand
Windows Services
SAM remotely queries the Windows Service Control Manager on enrolled endpoints to identify services running under the target account's credentials.
SCM APIScheduled Tasks
Task Scheduler XML definitions are parsed across domain-joined machines to identify tasks configured with explicit credential context for the service account.
Task SchedulerIIS Application Pools
IIS metabase and WMI queries identify application pools using custom identity configurations that reference the target service account credentials.
IIS / WMIDatabase Logins
SQL Server and Oracle instances are queried for login mappings and linked server configurations that authenticate using the target service account.
SQL / OracleAutomatic Dependency Update During Rotation
Once dependencies are mapped, SAM's rotation agent doesn't just change the AD password β it propagates the new credential to every detected dependency in the correct sequence, using WMI, DCOM, or agent-based channels. Services are restarted in the right order. The entire process is atomic: if any dependency update fails, the rotation rolls back and alerts fire.
Click each workflow step to expand its details. The onboarding workflow enforces a structured review process ensuring no account is brought under SAM management without appropriate stakeholder approval and technical validation.
Discovery & Intake
SAM's AD Connector surfaces the account in the Unmanaged Accounts queue with auto-populated metadata including SPN details, group memberships, last logon, and password age.
Owner Assignment
An application owner or service team lead is designated as the account custodian. SAM can suggest owners based on AD OU structure, group membership, and historical usage patterns.
Dependency Scan
Before any approval proceeds, SAM runs a full dependency scan against all enrolled endpoints to build a complete map of services, tasks, and applications using the account.
Security Review & Approval
The onboarding request β with full metadata, risk score, dependency map, and proposed rotation policy β is routed to one or more approvers based on configurable approval routing rules.
Policy Configuration
Upon approval, the account owner and security team configure the rotation policy: frequency, maintenance window, notification recipients, and rollback parameters.
Vault Enrollment & First Rotation
SAM vaults the current credential, executes the first managed rotation (with full dependency propagation), and transitions the account to Managed status in the compliance dashboard.
// Knowledge Check
Not All Service Accounts Are Equal
A privileged domain admin service account running a nightly replication task demands different rotation urgency than a low-privilege read-only monitoring account. SAM's rotation scheduler allows granular frequency configuration by account type, risk tier, OU, or individual account β while the compliance dashboard surfaces deviations from policy.
| Account Type | Default Frequency | Risk Tier | Recommended Window | Override |
|---|---|---|---|---|
| Domain Admin Service Accounts | 30 Days | Critical | Weekends 02:00β04:00 local | |
| Privileged App Service Accounts | 60 Days | High | Weekdays 23:00β01:00 local | |
| Standard App Service Accounts | 90 Days | Medium | Weekends 01:00β05:00 local | |
| Read-Only / Monitoring Accounts | 180 Days | Low | Any maintenance window | |
| Group Managed Service Accounts (gMSA) | 30 Days (AD-managed) | Managed | Automatic β KDC controlled | |
| External / Service Principal Accounts | 90 Days | Medium | Weekends, coordinated with vendor |
Blackout Windows
Define date ranges when rotations are prohibited β fiscal year-end, peak trading periods, or holiday freezes. SAM reschedules affected rotations automatically and flags accounts that become overdue during blackouts.
Change FreezeDependency-Aware Sequencing
When an account serves multiple services across servers, the scheduler calculates the optimal update sequence to minimize service restart time and avoid circular dependencies.
Smart OrderingPre-Rotation Notifications
Account owners and on-call teams receive configurable advance notice (default: 48 hours) before each rotation, with a direct link to defer or approve if manual confirmation mode is enabled.
Advance NoticeAutomatic Rollback
If any post-rotation health check fails, SAM automatically restores the previous credential and dependency configurations within the rollback timeout window, then escalates an alert to operations.
Self-Healing// Knowledge Check
Rotation Coverage by Account Type
Last updated: todayOverdue Rotation Alerts
| Account | Type | Policy Limit | Days Overdue | Severity | Action |
|---|---|---|---|---|---|
| svc_sql_prod@corp.local | Privileged App | 60 days | 127 days | β Critical | |
| svc_erp_batch@corp.local | Standard App | 90 days | 98 days | β Critical | |
| svc_reports_ro@corp.local | Read-Only | 180 days | 214 days | β High | |
| svc_exchange_mgmt@corp.local | Privileged App | 60 days | 73 days | β High | |
| svc_sharepoint@corp.local | Standard App | 90 days | 97 days | β Medium |
Export & Reporting
Generate point-in-time compliance snapshots in PDF, CSV, or JSON format. Pre-built templates exist for SOX 404, PCI-DSS 8.3, NIST 800-53 AC-2, and ISO 27001 A.9.2 control requirements.
Audit ReadySIEM Integration
Rotation events, overdue alerts, and approval decisions stream to Splunk, Microsoft Sentinel, or any CEF/Syslog target in real time. Dashboards can be built using the pre-built SPL/KQL packs.
SIEM StreamingScheduled Digest Reports
Configure weekly or monthly email digests for account owners, team leads, and CISO recipients, summarizing rotation status, upcoming scheduled rotations, and outstanding onboarding queues.
Automated Reporting