The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Service Account Manager serves three purposes. It allows you to:
Create new accounts with random passwords.
Use existing AD accounts as Unified ICM service accounts.
Provide an interface to modify Unified ICM service account passwords.
The following diagram illustrates the basic workflow of the Service Account Manager.
You must have the correct privileges to create or modify accounts in the domain. Typically, a domain administrator performs this task. However, the Service Account Manager does not enforce domain administrator privileges. You must have the correct permissions before you invoke the Service Account Manager.
The service account must be in the same domain as the Unified ICM server. When choosing an existing account, the Service Account Manager restricts the account to be selected from the same domain as the server.
Special Case: When the distributor is in a different domain than the logger, place the distributor service account in the instance service security groups of both its own domain and the logger domain.
If the Service Account Manager finds that a service is running, it first requests your permission; if you approve, it stops the service. If you choose not to stop the service, the Service Account Manager does not modify the service account information. If the Service Account Manager explicitly stopped the service before you edit the account information, it automatically starts the service. If the Service Account Manager fails to update the account in AD, due to either a noncompliant password policy or any connectivity error, the Service Account Manager warns you and logs the error. At that point, you can choose to fix the problem and retry, or cancel.
The application maintains its own log file, when you invoke it as a standalone application. If you invoke it through the Web Setup tool, logs write to the Websetup log files only.
When the application is invoked from the standalone NAM's Logger servers (sides A and B), the command line is as follows:
ServiceAccountManager /SrcInstance<InstanceName> /DestDomain<DomainName> /DestFacility<FacilityName> /DestInstance<InstanceName>
The Service Account Manager has two user interfaces:
You can find a shortcut to the application in Windows
folder.The Service Account Manager has two dialog boxes:
You can use the Service Account Manager as a standalone application or invoke it from Web Setup for Cisco Unified ICM/CCE and the Cisco Unified ICM/CCE Installer.
The Main Service Account Manager dialog box is the application's primary interface. It consists of the Services Requiring User Logon Accounts section (which contains the Service Name, Service Logon Account Name, Logon Account Health, Password Expiration, State, and Startup fields), the Facility/Instance drop-down; and the Select All, Edit Service Account, Fix Group Membership, Refresh,Close, and Help buttons.
The following table provides a description for each field and button in this dialog box.
The Edit Service Account dialog allows you to create a new or use an existing account, and to choose a random or a user defined password. The status bar at the bottom of the dialog box displays status messages as needed.
The following table provides a description for each field, button, and check box for this dialog box.
Field/Button/check box |
Description |
||
---|---|---|---|
Service(s) |
Displays the name of the service to be edited. |
||
Service account(s) |
Displays the account name for the selected service. |
||
Account Domain |
Displays the server domain. (Read Only) |
||
Password |
If the Password Type selected is Random-Generated Password, this field is populated with the generated password. If the Password Type selected is User-Defined Password, enter the password to be used for this account. |
||
Confirm Password |
If the Password Type selected is Random-Generated Password, this field is populated with the same generated password as the Password field. If the Password Type selected is User-Defined Password, re-enter the password to use for this account. |
||
Account Type |
Allows you to either create a new account or use an existing account by selecting the appropriate radio button. Create New Account is the default if no domain account assigned yet. Use Existing Account is the default if a domain account is already assigned. |
||
Password Type |
Allows you to choose a random-generated or a user-defined password by selecting the appropriate radio button. Random Generated Password is the default if you are creating a new account. User Defined Password is the default, and only, option when using an existing account. |
||
Update Active Directory |
Checked is the default, and only, option if you are creating a new account.
Unchecked is the default if using an existing account. |
||
Apply |
Click to apply any changes on this dialog box. |
||
Close |
Click to close this dialog box. Whenever this dialog box is closed, the Service Account Manager determines if a valid domain account is associated with the services or not. If the Service Account Manager finds that you did not successfully associate a valid domain account with a service, it warns you that the service fails to function until you use the Service Account Manager to associate a valid domain account with the service. |
||
Help |
Select to access the online help for the Service Account Manager. |
![]() Note | The Service Account Manager command line option is only supported for NAM/CICM replication. |
Web Setup uses the command line interface to silently create service accounts.
Setup passes the following three arguments to the Service Account Manager:
/Instance <InstanceName>
The InstanceName argument specifies the Unified ICM instance name for which the service is being setup.
/Service <ServiceType>
The Service argument specifies the type of the service whose account name and password are being created.
For example: /Service Distributor
Service types to use are:
/Log <Path\LogFileName>
The Log argument specifies the log file name and the path where the log is appended. Typically, Web Setup and Cisco Unified ICM/CCE/CCH Installer passes their own log file name to append the logs. The Service Account Manager also maintains its own log file in the temp folder.
![]() Note |
|
When upgrading the Unified ICMH to Unified ICM 9.0 (or later), the CICM replication process (CRPL) does not have proper permission to make configuration updates to customer instances without manually configuring the Active Directory.
This configuration entails adding the standalone NAM's logger service accounts to the service groups of the CICMs. Thus the standalone NAM's service account has the permissions necessary to update the database of the CICM.
One function the Service Account Manager provides is to automate the manual configuration steps (as described at http://www.cisco.com/en/US/products/sw/custcosw/ps5053/products_tech_note09186a00806c6609.shtml). This functionality is exposed through the Service Account Manager command-line interface as described in the Set Service Account Memberships for CICM Replication section.
Typically this functionality is utilized through two batch files (one for the A side and the other for the B side) where there is an entry for each CICM as a destination (/Dest). Each time the Web Setup is executed, running the batch file enables you to configure the Active Directory permissions properly.
Step 1 | Select a single service from Main Service Account Manager dialog box. | ||
Step 2 | Click
Edit
Service Account.
The Edit Service Account dialog box opens. | ||
Step 3 | Select
Create
New Account.
If no domain account is associated with the service, then Create New Account is selected by default. | ||
Step 4 | Enter a password
or have one generated randomly.
Random-Generated Password is selected by default. | ||
Step 5 | Click
Apply.
The Service Account Manager creates a new account in AD with a password. If the account name exists, the Service Account Manager asks you to either recreate it, or update the password. The application associates the account with the service on the server. It places the account in the required domain security group and local security group, and sets the required permissions. Service account is recreated, or just the password changes, based on your selection before you click Apply.
|
Step 1 | Select a single service from Main Service Account Manager dialog box. | ||
Step 2 | Click
Edit
Service Account.
The Edit Service Account dialog box opens. | ||
Step 3 | Select
Use
Existing Account.
If a domain account is associated with the service, Use Existing Account is selected by default. | ||
Step 4 | Enter a password. | ||
Step 5 | Choose whether to update the password in AD. | ||
Step 6 | Click
Apply.
If previously selected, the Service Account Manager updates the password in AD. It updates the service on the server with the new account information. The Service Account Manager then places the account in required domain security group and local security group, and sets the required permissions.
|
Step 1 | Select multiple
services or click
Select
All.
| ||
Step 2 | Click
Edit
Service Account.
The Edit Service Account dialog box opens. The Service Name column lists all services. Because multiple services are selected, Use Existing Account is selected by default. | ||
Step 3 | Click
Create
New Account.
A separate service account is created for each service. | ||
Step 4 | Enter a
password, or have one generated randomly.
If you choose to enter a password, then the same password is shared across all accounts. If you choose to randomize the password, a separate random password is generated for each account. | ||
Step 5 | Click
Apply.
The Service Account Manager creates multiple accounts in AD with the password. The application associates each account with the respective service on the server. It places the accounts in the required domain security group and local security group, and sets the required permissions.
|
Step 1 | Select multiple services or click Select All on the Main Service Account Manager dialog box. | ||
Step 2 | Click
Edit
Service Account.
The Edit Service Account dialog box opens. The Service Name column lists all services. Because multiple services are selected, Use Existing Account is selected by default. | ||
Step 3 | Enter an account name. | ||
Step 4 | Enter a password. | ||
Step 5 | Choose whether to update the password in AD. | ||
Step 6 | Click
Apply.
If previously selected, the Service Account Manager updates the password in AD. It updates the service on the server with the new account information. The Service Account Manager then places the account in required domain security group and local security group, and sets the required permissions.
|
Fix Group Membership is only enabled when an account in the "Group Membership Missing" health state is selected.
Step 1 | Select the unhealthy accounts displaying the "Group Membership Missing" state. | ||
Step 2 | Click
Fix Group Membership.
If any of the selected account is not in the "Group Membership Missing" state, Fix Group Membership is disabled. | ||
Step 3 | Click
Apply.
The Service Account Manager then places the account in required domain security group and local security group, and sets the required permissions.
|