What does the Passwordstate Windows Service actually Do?

Passwordstate, being a web based solution, has a User Interface (UI) accessible via a published URL.  This enables authorized employees access to create, access and share credentials based on their assigned level of permission.  The UI is the second most basic method of accessing a password record (the first being via our Browser Extensions).

For activities that don’t require user intervention, like scheduled password resets and account validations, we have a Windows Service called Passwordstate Service.  This is created during the Passwordstate Installation process and as the description in the image below states, provides management tasks for Passwordstate, 

But what sort of management tasks are handled by this service.  What special properties or permissions does it require?

The Passwordstate Service is Responsible for…

The Passwordstate Service effectively runs in an unattended manner and is responsible for processing scheduled events.  This is done by reading multiple tables and queueing any jobs due to be run.  When multiple jobs are due at the same time they are dynamically queued and sequentially processed.  The Passwordstate Service executes jobs within a defined security context, for example, using the specified Privileged Account Credential for any Active Directory Password Resets.

The following events are handled by the Passwordstate Service,

  • Scheduled Password Resets, Discoveries and Heartbeats
  • Scheduled Backups
  • Sending Email Notifications
  • Checking for new Builds
  • Sending Audit Log data to Syslog Server
  • Synchronizing AD Security Groups
  • Sending Scheduled Reports
  • Archiving Auditing data
  • Removing Time Based Permissions

In order to perform these events, the Passwordstate Service is in constant communication with the database.  Each type of event has a specific interval timer used to specify when to next poll for that event.

The Passwordstate Service should only ever be set to logon as the Local System Account as per the image below,

It should not be configured to logon as an Active Directory account.  The only exception to this is if you are using Managed Service Accounts (MSA) and Group Managed Service Accounts (gMSA).  If using these you’ll need to ensure you’ve followed the instructions to Configure Passwordstate to use a Managed Service Account (MSA) to connect to the database located in https://www.clickstudios.com.au/downloads/version9/Installation_Instructions.pdf

Restarting the Service

As outlined previously, the Passwordstate Service is responsible for events that don’t require user intervention.  This means restarting the service is non-disruptive for users that are currently logged into Passwordstate.  To restart the Passwordstate Service, simply fire up the Services App, search down the list of services for Passwordstate Service, right click on the service and select Restart as per the image below;

Alternatively, you could fire up the Windows CMD Shell as an Administrator and type in Net Stop “Passwordstate Service” and hit enter.  Once the Passwordstate Service has stopped you’ll need to type in Net Start “Passwordstate Service” and hit enter again as per the image below;   

This performs the equivalent of the Restart command in the Services App (there is no Restart option for the Net command).

The Passwordstate Service enables automation of events that don’t require user intervention.  In the event you need to restart the service you can do so easily and without disrupting your users.

Share your feedback by emailing it through to support@clickstudios.com.au.