Identity & Access Management // Privileged Access Management

Local Admin
Password Rotation

A complete, interactive training guide for rotating local computer administrator passwords using Delinea Secret Server — covering architecture, setup, automated RPC, macOS, API automation, and a live incident test case.

Rev 3.1 · 2026 ● Active Intermediate Level Est. 50 min

Overview

Why Secret Server, what it does, and how rotation fits into your security posture.

🔐

What is Delinea Secret Server? An enterprise Privileged Access Management (PAM) vault that stores credentials as encrypted Secrets, automates password changes via Remote Password Changing (RPC), continuously validates credentials via Heartbeat, and maintains an immutable audit log of every access, view, and rotation event.

Why Rotate Local Admin Passwords?

⚠️

Pass-the-Hash Risk

Shared local admin passwords let attackers harvest a single NTLM hash and authenticate laterally across every machine with that same credential — one breach becomes domain-wide.

📅

Stale Credential Exposure

Passwords unchanged for 60–90+ days dramatically extend attacker dwell time. Routine rotation minimizes the window of exploitation after any compromise event.

✅

Compliance Requirements

CIS Benchmarks, NIST SP 800-53, SOC 2, and PCI-DSS all mandate rotation of privileged credentials. Secret Server provides the audit evidence to demonstrate compliance.

🔑

Uniqueness Per Device

Secret Server generates a unique, policy-compliant password for every device. Compromising one endpoint yields nothing reusable elsewhere in the fleet.

Secret Server End-to-End Rotation Flow

Secret Created
Template + RPC linked

→

Heartbeat
Validates credential

→

RPC Rotation
Scheduled or on-demand

→

New Pass Stored
Encrypted in vault

→

Audit Log
Full event trail

Core Secret Server Concepts

🔑

Secret

The fundamental unit — an encrypted record containing hostname, username, and password. Each local admin account on each machine gets its own unique Secret.

📋

Secret Template

Defines the fields and the linked RPC changer script for a credential type. Use the built-in Windows Account or Unix Account (SSH) templates as your baseline.

🔁

Remote Password Changing (RPC)

SS connects to the target machine, changes the password on the OS, and updates the vault — all atomically. If the change fails, the old password is preserved and an alert fires.

💓

Heartbeat

Periodically authenticates to the target using the stored password to verify it still matches. A Heartbeat failure before rotation is a potential indicator of compromise.

📅

Password Policy

Enforces complexity, length, rotation interval, and character rules. Assigned at folder level — all Secrets inside inherit it automatically.

🧾

Checkout & Audit

Checkout enforces single-user access and creates an audit entry. Change on Checkin rotates the password automatically when returned, making each session single-use.

Rotation Method Comparison

Method	Platform	Automation	Best For
RPC — Built-in Changer	Windows	✅ Full	Domain/workgroup machines reachable by SS or Distributed Engine
RPC — Custom Script	Both	✅ Full	macOS (sysadminctl), non-standard accounts
Distributed Engine	Both	✅ Full	Endpoints on isolated / segmented networks
Manual + SS Store	Both	⚠ Partial	Air-gapped machines — rotated out-of-band, updated in SS manually
SS REST API	Both	✅ Full	SOAR playbooks, bulk rotation runbooks, CI/CD pipelines

Requirements

Validate every prerequisite before configuring Secret Server or performing any rotation.

Secret Server Environment

SS Version

Secret Server 11.4+ (on-prem) or Delinea Platform (cloud). Windows local account RPC requires no additional license beyond the base PAM license.

Distributed Engine (DE)

Required for endpoints on segmented networks. Install on a Windows jump host with TCP network access to target subnets. Must be registered in SS before configuring RPC site assignments.

SS Role Permissions Required

Administer Secret Templates and Administer Remote Password Changing role permissions are required to configure templates and RPC globally.

Network Ports

Windows RPC: TCP 445 (WMI/SMB) from SS server or DE to target. macOS RPC: TCP 22 (SSH). Confirm firewall ACLs before testing.

Target Machine Requirements

Requirement	Windows	macOS
RPC Protocol	WMI / SMB (TCP 445)	SSH (TCP 22)
Account must be enabled	✅ Yes	✅ Yes
Privileged changer account	Separate local or domain admin — NOT the account being rotated	Root or passwordless-sudo account — separate from managed account
Network reachability	SS server or DE must reach target by FQDN or IP	Same
OS Version	Windows 10 / Server 2016+	macOS 12 Monterey+

⚠

Critical — Changer Account Separation: The account Secret Server uses to perform RPC (the "privileged changer account") must be different from the account being rotated. Using the same account creates a circular dependency that causes lockout.

Password Policy Minimum Standards

Policy Setting	Minimum Standard	Recommended
Password Length	15 characters	20 characters
Uppercase Letters	Required	Minimum 2
Lowercase Letters	Required	Minimum 2
Numbers	Required	Minimum 2
Special Characters	Required	Min 2 — exclude: " ' / \ ` space
Rotation Interval	30 days	14 days
Heartbeat Interval	Daily	Every 4–8 hours
Password History	Last 10 (SS encrypted history)	Last 24
Uniqueness	Unique per device (SS enforces this by design)	Same

Secret Server Setup

One-time configuration tasks — complete these before creating Secrets or enabling automated rotation.

Create a Password Policy

Define the complexity and rotation rules that all local admin Secrets will inherit. Assign this policy to the folder in Step 04.

Admin › Security › Password Requirements › + New

Policy NameLocal Admin — Workstations

Minimum Length20

Uppercase Minimum2

Lowercase Minimum2

Numbers Minimum2

Symbols Minimum2

Excluded Characters" ' / \ ` (space)

Configure the Secret Template

Clone the built-in Windows Account template. This defines the fields, the RPC changer type, and heartbeat behavior for every local admin Secret.

Admin › Secret Templates › Windows Account › Duplicate

Template NameWindows Local Administrator

Required FieldsMachine, Username, Password

Password ChangerWindows Local Account (built-in)

Heartbeat Enabled✅ Yes

Auto Change Enabled✅ Yes

Password PolicyLocal Admin — Workstations (Step 01)

Enable Remote Password Changing (Global)

Enable the RPC engine globally and configure the Distributed Engine site if endpoints are on isolated network segments.

Admin › Remote Password Changing

Enable RPC✅ On

Enable Heartbeat✅ On

Distributed Engine SiteAssign correct site per network segment

Max Concurrent RPC5–10 (tune to fleet size)

Retry on Failure✅ 3 retries · 60-minute interval

ℹ

The privileged changer account SS uses to perform RPC must itself be stored as a Secret in a restricted Admin folder, with its own rotation schedule.

Create Folder Structure & Assign Policy

Organize Secrets in folders. Permissions and policies cascade down — set once at the folder level; every Secret inside inherits them automatically.

Secrets › (folder icon) › New Folder

Folder PathIT\Local Admin Accounts\Workstations

Secret PolicyLocal Admin Rotation Policy (auto-change ON)

OwnersPAM Admins group

View / CheckoutHelp Desk tier (checkout required)

Checkout Required✅ Yes — enforces single-user access + creates audit entry

Change on Checkin✅ Yes — rotates via RPC immediately on return

Create a Secret for Each Local Admin Account

One Secret per endpoint. Use the Windows Local Administrator template. Generate the initial password using the built-in policy-compliant generator.

Secrets › IT\Local Admin Accounts\Workstations › + New Secret

TemplateWindows Local Administrator

Secret NameCORP-WS-0142 — Administrator

MachineCORP-WS-0142.corp.example.com

UsernameAdministrator (or renamed account name)

PasswordClick 🔄 Generate — auto-generated per policy

Auto Change ScheduleEvery 14 days

Windows — Remote Password Changing

Automated rotation via Secret Server RPC for domain-joined and workgroup Windows endpoints.

Run Heartbeat — Verify Current State First

Always run Heartbeat before any rotation. A failure before rotation indicates the password is out of sync with the vault and may signal active compromise.

Open Secret › Remote Password Changing tab › Run Heartbeat

Status: Success✅ Credential matches target — safe to rotate

Status: Failed🚨 Investigate — password may have been changed out-of-band. Possible IOC.

Status: Pending⏳ Click "Run Heartbeat" to force immediate check

Trigger On-Demand Rotation (UI)

For immediate rotation — post-incident, compliance request, or scheduled review — trigger RPC directly from the Secret detail view.

Open Secret › Remote Password Changing tab › Change Password Now

✓

Click Change Password Remotely. Secret Server generates a new policy-compliant password, connects to the target via WMI, changes the OS-level password, and stores the new value in the vault — atomically. Success or failure is recorded instantly in the audit log.

# Trigger via PowerShell — Thycotic.SecretServer SDK module Import-Module Thycotic.SecretServer $session = New-TssSession -SecretServer "https://secretserver.corp.example.com" ` -Credential (Get-Credential) # Search for the Secret by hostname $s = Search-TssSecret -TssSession $session -SearchText "CORP-WS-0142" # Trigger immediate Remote Password Change Invoke-TssSecretChangePassword -TssSession $session -Id $s.Id Close-TssSession -TssSession $session

Verify Auto-Rotation Schedule

Confirm the Secret has an ongoing rotation schedule so no manual intervention is needed for future cycles.

Open Secret › Security tab › Auto Change Schedule

Auto Change✅ Enabled

FrequencyEvery 14 days

Change on Checkin✅ Yes — rotates on every return from checkout

Next Scheduled ChangeAuto-calculated from last successful rotation timestamp

Access via Checkout + Launcher (Best Practice)

Never copy passwords to a clipboard or notepad. Use the SS Launcher — it injects the credential directly into the RDP session without ever exposing plaintext to the operator.

Open Secret › Check Out › Launch (RDP)

✓

The Launcher creates a proxied RDP session with credential injection. The operator never sees or handles the raw password. On checkin, Change on Checkin rotates immediately — making every session single-use by design.

⚠

If a user must view the password directly (e.g., console recovery), ensure the Require Comment on View option is enabled on the folder so a justification is recorded in the audit log.

Validate & Confirm in Audit Log

Confirm rotation succeeded in Secret Server's audit trail and optionally cross-validate on the target via Windows Security Event Log.

Open Secret › Audit tab

Expected EventsPASSWORD CHANGE SUCCEEDED · HEARTBEAT SUCCEEDED

On RPC FailureCheck Admin › Remote Password Changing › Logs for detailed error output

Audit ColumnsDate/Time · Action · User · IP Address · Notes

# Cross-validate on the target machine # Event ID 4723 = An attempt was made to change an account's password Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4723} -MaxEvents 5 | Select-Object TimeCreated, Message # Confirm password last-set timestamp on the local account Get-LocalUser -Name "Administrator" | Select-Object Name, PasswordLastSet, Enabled

macOS — SSH-Based RPC

Secret Server rotates macOS local admin passwords over SSH using a custom sysadminctl changer script.

Configure macOS Secret Template

Clone the built-in Unix Account (SSH) template. This is the foundation for SSH-based rotation on macOS.

Admin › Secret Templates › Unix Account (SSH) › Duplicate

Template NamemacOS Local Administrator

Password ChangerCustom sysadminctl changer (configured in Step 03)

SSH Port22

Heartbeat Enabled✅ Yes

Auto Change Enabled✅ Yes

Enable Remote Login (SSH) on Target Mac

Secret Server RPC connects over SSH. Remote Login must be active on the managed Mac before RPC can function.

# Enable SSH Remote Login on the target Mac sudo systemsetup -setremotelogin on # Restrict SSH access to the local admin group only (security hardening) sudo dseditgroup -o edit -a localadmin -t user com.apple.access_ssh # Confirm it is active sudo systemsetup -getremotelogin

⚠

If this Mac is Jamf-managed, configure Remote Login via a Jamf Policy rather than manually. MDM configuration profiles will revert manual Terminal changes on the next check-in.

Create Custom RPC Script (sysadminctl)

The default Unix SSH changer uses interactive passwd. For macOS 12+, a custom changer using sysadminctl is non-interactive and more reliable.

Admin › Remote Password Changing › Configure Password Changers › + New

## Secret Server Custom Password Changer — macOS sysadminctl ## Paste into the "Change Password Commands" field in Secret Server. ## Token reference: ## $USERNAME = the account being rotated ## $NEWPASSWORD = the new password SS generated ## $[1]USERNAME = the changer account username (linked Secret) ## $[1]PASSWORD = the changer account password (linked Secret) sudo sysadminctl -resetPasswordFor $USERNAME \ -newPassword "$NEWPASSWORD" \ -adminUser $[1]USERNAME \ -adminPassword $[1]PASSWORD # Verification command (SS runs after change — exit 0 = success) dscl . -authonly $USERNAME "$NEWPASSWORD"

ℹ

$[1]USERNAME and $[1]PASSWORD are Secret Server tokens that reference a linked changer account Secret — the privileged account SS authenticates as over SSH to execute sysadminctl on the target Mac.

FileVault — Verify Key Escrow Before Rotating

If the managed account is FileVault-enabled, confirm the recovery key is escrowed to your MDM before rotating its password.

# Check which accounts have FileVault enabled sudo fdesetup list # If the managed account appears in the list, # confirm MDM (Jamf) has the recovery key escrowed BEFORE rotating. # Check Jamf: Computers › [device] › FileVault 2 tab

🚨

Rotating a FileVault-enabled account's password without escrowing the recovery key first may prevent you from unlocking the drive after a reboot. Coordinate with your MDM team before rotating any FileVault-enabled account.

Run Heartbeat & Validate on Target

After rotation, confirm the new credential passes Heartbeat, then verify on the Mac using the unified log.

Open Secret › Remote Password Changing tab › Run Heartbeat

# Verify on the macOS target — search unified log for account changes (last 1 hour) log show --predicate 'eventMessage contains "password"' \ --last 1h --style syslog | grep localadmin # Alternatively — test authentication directly dscl . -authonly localadmin "[new-password-from-SS]"

API & Automation

Secret Server exposes a full REST API for programmatic rotation, bulk operations, SOAR playbook integration, and pipeline credential retrieval.

Step 1 — Authenticate & Get Bearer Token

$SS_URL = "https://secretserver.corp.example.com" # Never hard-code credentials — read from environment or vault $body = @{ username = "svc-automation" password = $env:SS_API_PASSWORD grant_type = "password" } $token = (Invoke-RestMethod -Uri "$SS_URL/oauth2/token" -Method POST -Body $body).access_token $headers = @{ Authorization = "Bearer $token" }

Step 2 — Retrieve a Secret's Password

$secretId = 1042 $secret = Invoke-RestMethod -Uri "$SS_URL/api/v1/secrets/$secretId" -Headers $headers $password = ($secret.items | Where-Object { $_.fieldName -eq "Password" }).itemValue # Use $password — NEVER log it, write to disk, or pass via environment variable in plain text

Step 3 — Force Immediate Password Rotation

# Trigger an immediate Remote Password Change on Secret 1042 Invoke-RestMethod ` -Uri "$SS_URL/api/v1/secrets/$secretId/change-password" ` -Method POST ` -Headers $headers ` -ContentType "application/json" ` -Body ('{"secretId":' + $secretId + '}')

Step 4 — Bulk Rotation of All Secrets in a Folder

# Rotate every Secret in folder ID 88 — e.g., post-incident mass rotation $folderId = 88 $secrets = (Invoke-RestMethod ` -Uri "$SS_URL/api/v1/secrets?folderId=$folderId&take=500" ` -Headers $headers).records foreach ($s in $secrets) { Invoke-RestMethod ` -Uri "$SS_URL/api/v1/secrets/$($s.id)/change-password" ` -Method POST ` -Headers $headers ` -ContentType "application/json" Write-Host "Queued rotation: $($s.name)" Start-Sleep -Milliseconds 300 # Rate-limit to avoid overwhelming the RPC queue }

Step 5 — Webhook Notification on Rotation Events

# Configure at: Admin › Event Subscriptions › New › Webhook # Secret Server POSTs this JSON payload to your endpoint on PASSWORD CHANGE SUCCEEDED: { "eventType" : "SecretPasswordChanged", "secretId" : 1042, "secretName" : "CORP-WS-0142 — Administrator", "folderId" : 88, "changedBy" : "System (Auto)", "timestamp" : "2026-03-07T14:32:11Z" }

✓

SDK Alternative: The Thycotic.SecretServer PowerShell module (available on PSGallery) wraps the REST API with typed cmdlets, handles OAuth token refresh automatically, and is the preferred method for scripted automation.

Test Case Scenario

Simulated post-incident exercise. Work through each task and mark it complete as you go.

🔴 Scenario — Suspected Credential Harvesting: Emergency Rotation Required

EDR telemetry has flagged a memory-scraping process on CORP-WS-0142 at 09:14 UTC. A Mimikatz-signature binary was detected in the process tree before being terminated. The local Administrator account on this machine was last rotated 61 days ago and has not been rotated since the alert fired.

The corresponding Secret is ID #1042 in Secret Server, located at IT\Local Admin Accounts\Workstations. Your SOC ticket is INC-20260307-0042.

Your task: Rotate the credential immediately using Secret Server RPC, validate the change end-to-end, check for attacker persistence, and document the incident in the Secret's audit record.

0 / 10 tasks complete

✓

1. Open Emergency Change Ticket Create a P1 change record in your ITSM tool. Reference incident INC-20260307-0042. Select "Emergency — Security Incident" as change type. Record your authorization approver before proceeding.
✓

2. Locate Secret #1042 in Secret Server Navigate to IT\Local Admin Accounts\Workstations. Open CORP-WS-0142 — Administrator and confirm the Machine field matches the affected hostname exactly.
✓

3. Run Heartbeat — Assess Current State On the Remote Password Changing tab, click Run Heartbeat. A Success result means the stored password still matches the target. A Failure means the credential was already changed out-of-band — escalate immediately if failed.
✓

4. Trigger "Change Password Now" via RPC Click Change Password Remotely on the RPC tab. Secret Server generates a new 20-character policy-compliant password, connects via WMI to CORP-WS-0142, performs the OS-level change, and stores the new value in the vault atomically.
✓

5. Confirm "PASSWORD CHANGE SUCCEEDED" in Audit Tab Open the Secret's Audit tab. Verify the event shows PASSWORD CHANGE SUCCEEDED with a timestamp within the last 2 minutes. Screenshot this for INC-20260307-0042.
✓

6. Run Heartbeat Again — Validate New Credential After rotation, click Run Heartbeat a second time. A HEARTBEAT SUCCEEDED result confirms the newly rotated password is valid and working on the target. Record the timestamp.
✓

7. Verify Old Password No Longer Works Using Secret History tab (view-only — do not checkout), retrieve the previous password value. Attempt to authenticate to CORP-WS-0142 with it. Confirm authentication fails with "wrong password" — not an account lockout — which would indicate the account is still active but the old credential is invalidated.
✓

8. Check for Unauthorized Local Accounts on Target Run the command below on CORP-WS-0142 and cross-reference results against your approved-accounts inventory. Any unknown enabled account is a persistence indicator of compromise (IOC).
Get-LocalUser | Where-Object { $_.Enabled -eq $true } | Select-Object Name, LastLogon, PasswordLastSet
✓

9. Review Windows Security Event Log on Target Filter for the following Event IDs in the 09:00–09:30 UTC window. Any events not attributed to authorized users are escalation items.
# Event ID 4720 = New local account created # Event ID 4732 = Account added to Administrators group # Event ID 4624 = Successful logon (filter for LogonType 3 = network) Get-WinEvent -FilterHashtable @{ LogName = 'Security' Id = 4720, 4732, 4624 StartTime = '2026-03-07 09:00:00' EndTime = '2026-03-07 09:30:00' } | Select-Object TimeCreated, Id, Message | Format-List
✓

10. Close Ticket, Notify SOC & Update Secret Notes In the Secret's Notes field, record: incident ticket number (INC-20260307-0042), pre-rotation password age (61 days), rotation timestamp, your name, Heartbeat confirmation timestamp, and persistence check findings. Close the change ticket and send a close-out notification to the SOC team.

✅ Scenario Complete

All 10 tasks verified. Emergency rotation exercise passed.
Credential is rotated and secured in Delinea Secret Server.

Knowledge Check

Select the best answer for each question. Instant feedback and explanation provided.

Q1 — What Secret Server feature periodically tests that a stored password still matches the target system?

Remote Password Changing (RPC)

Heartbeat

Secret Checkout

Session Recording

Q2 — What does "Change on Checkin" do when enabled on a Secret?

Locks the Secret from edits until the next audit cycle

Emails the new password to the Secret owner

Automatically triggers an RPC rotation the moment the Secret is returned after checkout — making every session credential single-use

Requires dual-person authorization before the Secret can be checked out again

Q3 — What is the role of a "privileged changer account" in Secret Server's RPC configuration?

It is the local admin account whose password is being rotated

It is a separate privileged account that Secret Server authenticates as to connect to the target and perform the password change on the managed account

It is the Secret Server service account running the web application pool

It is a read-only audit account used only for Heartbeat validation

Q4 — Heartbeat runs BEFORE rotation and returns FAILED. What should you do first?

Proceed with rotation immediately — Heartbeat failures are common and can be ignored

Disable Heartbeat and retry the rotation

Investigate before rotating — a pre-rotation failure means the stored credential no longer matches the target, which could indicate the password was changed out-of-band by an attacker

Delete and recreate the Secret with a known-good password

Q5 — Which REST API endpoint triggers an immediate password rotation on a specific Secret?

POST /api/v1/secrets/{id}/rotate-now

PUT /api/v1/rpc/force-change

POST /api/v1/secrets/{id}/change-password

PATCH /api/v1/secrets/{id}/update-credential

Q6 — What is the RECOMMENDED way for help desk staff to use a local admin credential from Secret Server?

Copy the plaintext password from the Secret and paste it into an RDP client

Email the credential to the technician who needs it for the session

Use the Secret Server Launcher (RDP/SSH) — it injects the credential directly into the session without ever exposing plaintext to the operator

Store the password in a shared team spreadsheet during the maintenance window

Q7 — On macOS, why is a custom sysadminctl changer preferred over the default Unix SSH password changer?

sysadminctl is faster because it uses TCP 443 instead of SSH

The default changer uses passwd which is interactive and may stall; sysadminctl is non-interactive, accepts admin credentials programmatically, and works reliably on macOS 12+

sysadminctl does not require SSH to be enabled on the target

Apple deprecated dscl so sysadminctl is the only supported option