This is in relation to "Case # 04044870 - Changing the vault service account automatically".
Our end goal is very simple: ability to change the vault service account password programmatically.
We can easily change it on a Windows Service, Scheduled Task, Active Directory, or using any sort of API, command line tool, etc, but we can't do this (or at least not easily) if the password has to be changed through a GUI, which is the case at the moment.
We just want to automate the following: http://www.symantec.com/business/support/index?page=content&id=TECH48035
The EV account can search through all our emails and restore them in any given mailbox. From a pure confidentiality point of view, this is less than ideal, but there's no alternative if you want to use an email archiving and restoring solution.
We can't audit what this user is doing in our Exchange mailboxes due to the huge amount of logs this is currently generating. Exchange 2010 can't handle that and also there's the question about how do you actually differentiate whether this action was done by a human being or an automated task.
The main problem occurs when our sysadmins are requested to search and restore old emails into mailboxes. In this situation they need to use the EV account. How can we make sure they are not using it for other purposes if we can't monitor what's going on?
One way to alleviate this situation would be to change the EV password and store it in a secure location. Then make sure our sysadmins have to request this new password and use it via recorded sessions. After that the password has to be changed automatically and should not be known publicly.
EV does not offer any command line tool or similar to change the password programmatically so we are struggling to achieve a minimum level of security in this case.