Layer7 Privileged Access Management

Expand all | Collapse all

PAM 3.1.1 Windows Remote Acct Management

Jump to Best Answer
  • 1.  PAM 3.1.1 Windows Remote Acct Management

     
    Posted 02-20-2018 04:38 PM

    Hi all,

     

    I have a question about the windows remote feature in PAM 3.1.1.


    Can a domain admin account be configured to change local accounts on servers using the Windows Remote Target application? If so, can you share any requirements?

     

    Thanks in advance!

     

    Mike Pass



  • 2.  Re: PAM 3.1.1 Windows Remote Acct Management
    Best Answer

    Posted 02-20-2018 04:49 PM

    just to be specific, you can do it but not with a managed Domain account

     

    1) you need to create a target application using "Windows Remote" and setting to Domain pointing at the windows end-node. (NOT pointed at a DC)

    2) then setup the duplicate "Domain Admin" acct ( DO NOT sync since your not pointed at a DC)

    3)setup the target application for a local acct

    4) setup your target local account(s) and use the "Domain Admin" acct from step 2



  • 3.  Re: PAM 3.1.1 Windows Remote Acct Management

    Posted 02-21-2018 01:16 PM

    just to follow up on the Domain Acct that is both Managed and UnManaged:

    1) you could then setup a Target group to include the Domain Acct that is managed and all the duplicate Domain accts for each end-node that is not Managed

    2) setup up a scheduled job that rotates the group at a specific time, but uses the same password for all Accts

     

    this way when ever you update the local accounts the Domain Account that you used is always uptodate!

     

    still not the best way but an alternative



  • 4.  Re: PAM 3.1.1 Windows Remote Acct Management

     
    Posted 02-22-2018 09:41 AM

    I've tested this on a small scale but works well so far.

     

    In ref to "still not the best way but an alternative", would you suggest that using the Proxy is a better option?

     

    Thanks for your responses!

     

    -Mike Pass



  • 5.  Re: PAM 3.1.1 Windows Remote Acct Management

    Posted 02-22-2018 09:45 AM

    no, I meant to just use a local admin account to manage other accounts as opposed to a domain account, this just doesn't seem to be as clean a solution as it should be.



  • 6.  Re: PAM 3.1.1 Windows Remote Acct Management

    Posted 11-27-2018 06:29 PM

    Hi Robert

     

    I have the next problem

     

    I have created a target application type windows remote and I have selected domain account
    I have created a target account based on the previous target application
    I have successfully synchronized the password with the target system
    I have assigned a PVP that changes the password 5 minutes after connecting to the endpoint or see the password, but CA PAM at the time of changing the password does not succeed and the account is out of sync

     

     

    Any idea that may be happening, that I can validate or verify ?

     

    Thanks