Symantec Privileged Access Management

Hi all,

I have a question about the windows remote feature in PAM 3.1.1.

Can a domain admin account be configured to change local accounts on servers using the Windows Remote Target application? If so, can you share any requirements?

Thanks in advance!

Mike Pass

just to follow up on the Domain Acct that is both Managed and UnManaged:

1) you could then setup a Target group to include the Domain Acct that is managed and all the duplicate Domain accts for each end-node that is not Managed

2) setup up a scheduled job that rotates the group at a specific time, but uses the same password for all Accts

this way when ever you update the local accounts the Domain Account that you used is always uptodate!

still not the best way but an alternative

I've tested this on a small scale but works well so far.

In ref to "still not the best way but an alternative", would you suggest that using the Proxy is a better option?

Thanks for your responses!

-Mike Pass

no, I meant to just use a local admin account to manage other accounts as opposed to a domain account, this just doesn't seem to be as clean a solution as it should be.

Hi Robert

I have the next problem

I have created a target application type windows remote and I have selected domain account
I have created a target account based on the previous target application
I have successfully synchronized the password with the target system
I have assigned a PVP that changes the password 5 minutes after connecting to the endpoint or see the password, but CA PAM at the time of changing the password does not succeed and the account is out of sync

Any idea that may be happening, that I can validate or verify ?

Thanks