I have a question about the windows remote feature in PAM 3.1.1.
Can a domain admin account be configured to change local accounts on servers using the Windows Remote Target application? If so, can you share any requirements?
Thanks in advance!
just to be specific, you can do it but not with a managed Domain account
1) you need to create a target application using "Windows Remote" and setting to Domain pointing at the windows end-node. (NOT pointed at a DC)
2) then setup the duplicate "Domain Admin" acct ( DO NOT sync since your not pointed at a DC)
3)setup the target application for a local acct
4) setup your target local account(s) and use the "Domain Admin" acct from step 2
just to follow up on the Domain Acct that is both Managed and UnManaged:
1) you could then setup a Target group to include the Domain Acct that is managed and all the duplicate Domain accts for each end-node that is not Managed
2) setup up a scheduled job that rotates the group at a specific time, but uses the same password for all Accts
this way when ever you update the local accounts the Domain Account that you used is always uptodate!
still not the best way but an alternative
I've tested this on a small scale but works well so far.
In ref to "still not the best way but an alternative", would you suggest that using the Proxy is a better option?
Thanks for your responses!
no, I meant to just use a local admin account to manage other accounts as opposed to a domain account, this just doesn't seem to be as clean a solution as it should be.
I have the next problem
I have created a target application type windows remote and I have selected domain accountI have created a target account based on the previous target applicationI have successfully synchronized the password with the target systemI have assigned a PVP that changes the password 5 minutes after connecting to the endpoint or see the password, but CA PAM at the time of changing the password does not succeed and the account is out of sync
Any idea that may be happening, that I can validate or verify ?