Break glass accounts for recovery sites
Overview
This article explains how to configure break glass accounts in Cayosoft Guardian when creating or editing a forest recovery plan. Break glass accounts are temporary administrative accounts created automatically by Cayosoft Guardian during forest recovery. These accounts allow initial login access to the restored Active Directory environment.
Accounts are used for several reasons:
Post-Forest Recovery Access: After forest recovery, administrators need to log into domains and verify that everything is functioning correctly. In some cases, their existing accounts may not be suitable.
Domain Controller Promotion: During the forest recovery process, this account will be used to promote new domain controllers.
IMPORTANT: Separate break glass accounts will be created in each domain. Thus, all of them will receive different UPNs but the same password.
Requirements
Before configuring a break glass account:
Ensure at least one backup of a domain controller exists in the selected backup location.
Confirm you have administrative privileges to create or modify forest recovery plans.
Configuring break glass accounts
To configure the break glass accounts in Forest Recovery plan:
Open the Cayosoft Guardian web portal.
Go to Forest Recovery > Recovery Plans.
Click +Add to add a forest recovery plan.
-
Click Save to apply settings or click Cancel to discard changes.
IMPORTANT: Administrators must copy and securely store the generated password at plan creation time. The password will not be retrievable after the plan is saved.
Field Description Active Directory forest Select the Active Directory forest from the down-down list. Recover one domain controller per domain Enable this checkbox in case you want to recover one domain controller for each domain. This feature is available for Forest recovery plan and Recovery plan for standby forest. Recover to this point in time (UTC-00) Select a date and time from the drop-down list. Break glass account name Enter a unique name for the break glass account (e.g., breakglass). Password A secure password is automatically generated. It is visible only during plan creation and must be saved by the administrator. Use the copy icon to copy and save the password. Confirmation Enter the automatically generated and saved password before proceeding.
To configure the break glass accounts in Recovery plan for standby forest:
Open the Cayosoft Guardian web portal.
Go to Forest Recovery > Recovery Plans.
Click +Add to add a standby forest recovery plan.
-
Click Save to apply settings or click Cancel to discard changes.
IMPORTANT: Administrators must copy and securely store the generated password at plan creation time. The password will not be retrievable after the plan is saved.
Field Description Active Directory forest Select the Active Directory forest from the down-down list. Recover one domain controller per domain Enable this checkbox in case you want to recover one domain controller for a domain. This feature is available for Forest recovery planand Recovery plan for standby forest. Cloud service Click the ellipsis button (•••) to browse and select the cloud service. Break glass account name Enter a unique name for the break glass account (e.g., breakglass). Password A secure password is automatically generated. It is visible only during plan creation and must be saved by the administrator. Use the copy icon to copy and save the password. Confirmation Enter the automatically generated and saved password before proceeding.
To configure the break glass accounts in Custom forest recovery plan:
Open the Cayosoft Guardian web portal.
Go to Forest Recovery > Recovery Plans.
Click +Add to add a custom forest recovery plan.
-
Click Save to apply settings or click Cancel to discard changes.
IMPORTANT: Administrators must copy and securely store the generated password at plan creation time. The password will not be retrievable after the plan is saved.
Field Description Backups to use Click the ellipsis button (•••) to browse and select one or more backups. Domain controllers to recover Only Domain Controllers in the selected backups - Only the domain controllers with backups in the selected location(s) will be included in the recovery.
All Domain Controllers from the source domain(s) - All domain controllers in the source domain(s) will be recovered, regardless of whether a backup is available for each. (Used for full domain recovery.)
Break glass account name Enter a unique name for the break glass account (e.g., breakglass). Password A secure password is automatically generated. It is visible only during plan creation and must be saved by the administrator. Use the copy icon to copy and save the password. Confirmation Enter the automatically generated and saved password before proceeding.
Updating or disabling break glass account
Cayosoft Guardian provides the ability to directly configure break glass accounts within existing Forest Recovery Plans, allowing administrators to create, update, or disable break glass accounts as needed — without recreating the entire plan.
To configure the break glass account:
In the Cayosoft Guardian web portal, navigate to Forest Recovery > Recovery Plans.
Select the plan you want to modify.
At the top of the plan window, click the new Configure break-glass accounts button.
-
To enable or update the break glass feature, check the Create break glass accounts box.
Or,
Uncheck the Create break glass accounts box to remove the break glass credentials from the plan and stop them from being used in future deployments.
Enter or modify account details.
-
Click Save to apply your changes click Cancel to discard changes.
Field Description Break glass account name Enter a unique name for the break glass account (e.g., breakglass). Password A secure password is automatically generated. It is visible only during plan creation and must be saved by the administrator. Use the copy icon to copy and save the password. Confirmation Enter the automatically generated and saved password before proceeding.
Comments
0 comments
Please sign in to leave a comment.