Changing the BladeLogicRSCD account password on domain controllers

The RSCD account must be functional for user mapping. At times it may be necessary to change the password on this RSCD account due to customer requirements, and doing so on Microsoft Windows domain controllers can be difficult because the account is shared across domain controllers. 

Use the following instructions to automate this process. Note that the general steps can also be performed manually for one-time changes.

Using chapw to change the password

As of BMC Server Automation 8.2 the chapw command can be used to change the BladeLogicRSCD account password across domain controllers in the same domain. Run the following command from an NSH session that is mapped to an Administrative account on the domain controllers:

> chapw -p password -m pdc_emulator dc2 dc3 [... dc(n)]

To change the BladeLogicRSCD account password on domain controllers

For a version of BMC Server Automation earlier than 8.2 or to set the password on a domain controller being added to the domain after the password was already changed, you can use the following this procedure:

  1. Run the BMC Server Automation chapw command, available from the Application Server, against a non-domain controller, stand-alone, or member server to change the password for the local BladeLogicRSCD user. This command creates the registry key password that is pushed to the domain controllers.

    > chapw -p <PASSWORD> <STAND-ALONE_HOSTNAME>
  2. Run psexec on the non-domain controller server to obtain the hash value for password*.
     Use the command psexec -s -i -d regedit to launch regedit as the SYSTEM user. The registry value can only be viewed as the SYSTEM account user. The following key and REG_BINARY contains the value for the password generated in Step 1:
    HKLM\SAM\SAM\BladeLogic\Operations Manager\RSCD\S
     The value of the REG_BINARY S must be recorded and entered into the BLPackage property for the BladeLogicRSCD password.
    BladeLogicRSCD_user_chapw_1.png

  3. Edit the BLPackage created to update the registry key on the non-primary domain controllers. The value is updated by pushing out the psexectool and using an external command to update the current value:

    >psexec -s reg add "HKLM\SAM\SAM\BladeLogic\Operations Manager\RSCD" /v "S" /t REG_BINARY /d 5298896 /f

    The value for the password can be parameterized: - /d %PASSWORD%.

  4. If this procedure is being done on pre-8.2 domain controllers, deploy the BL Package on all the non-primary domain controllers.
    This updates the registry key, but not the password, for the BladeLogicRSCD account, as the user's account is in Active Directory.

    Otherwise, you can import the registry key from the command line into the registry on the new domain controller.     

  5. Using the BMC Server Automation chapw command, change the password on the domain controller or on multiple domain controllers to the password specified in Step 1.

    > chapw -p <PASSWORD> <PRIMARY_DC> 

  6. Force replication of the Active Directory change to the BladeLogicRSCD account.
     Alternatively, replication should occur after five minutes. After that has completed, communication to all domain controller RSCD agents uses the new BladeLogicRSCD password. 

    agentPassword.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*