Hi @DJWanna .  Passwords that are stored in the SAS configuration can be managed using the SAS Deployment Manager 'Update Passwords' task.  For instructions, refer to:

 https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n0rze9kvk0b7b0n16r2dsvfuq14r.htm

The SAS installer account is not managed by the SAS Deployment Manager.  Changing its password on the host or domain should not impact SAS.

The lsf and pm account passwords cannot be changed with the SAS Deployment Manager.  I am unfamiliar with the steps for updating those passwords.

If you don't get an answer here, you can open a case with SAS Technical Support.

Hi @gwootton ,

I am sorry, but I believe they are actually stored.

On one hand, lspasswd is needed to register some accounts passwords - which go into an LSF/EGO file.

On the other hand, if you have the Scheduling service registered in the SAS Management Console with an Authorization Domain, you would have a SAS metadata group, and in this group's Account tab, the password of the account used for scheduling (very often lsfadmin or lsfuser).

Please correct me if I am wrong. Of course, there are setups of all flavours, but I find those 2 really often, if not always.

Leaving aside LSF / JS passwords, if you have SSO with Kerberos, and the account used as UPN for the keytab file needs to change the password, you would need to regenerate the keytab file again, else SSO authentications will fail.

If you will change any of the WIP passwords, you will need to update those passwords as well in the server.xml and some AuthDomain groups too - as you would do if any database user (any outbound authentication) would change.

The first attempt of changing the passwords is always a learning experience. I changed the passwords of all internal accounts and external AD accounts in an environment for the first time in 6 years. There were a lot of unknowns but you can always figure it out thorough testing and logs. One example is the account configured as lsfadministrator in sas environment manager. The password is hardcoded (under SAS Grid Manager resource), so I removed the account, saved the configuration, changed the password and then updated it with new password. There is standard documentation for internal accounts but external AD accounts should be handled carefully.

AFAIK, finding all of the places where passwords need changing is dependent on both your SAS architecture and the installed SAS products. So there is no documentation that can cover all of the possibilities. As @sangavis37 points out it will be a matter of investigation, trial and error. Personally I think getting an exemption from the password changing rule is a far easier option...