Let said i have an AD account(Demo\admin) which is used in different Windows Servers(WinServer #1 & WinServer#2) for Admin purpose.
If Password View Policy(PVP) is to change password on connection end, and configure PAM with 2 different target account for WinServer #1 & WinServer #2. If target account WinServer #1 changed, will it automatically update target account on WinServer #2 with new password ?
How should I defined the target account that use in different windows server so that the password is always in sync after password changed ?
Hi William, Can you clarify your use case? You state that you have an AD account, for which the password would be stored in Active Directory, but then you are talking about target accounts that would have to be changed on the individual Windows Servers, which suggests that you are talking about local Windows accounts. For a domain account there is no problem. The password lives in one place (Active Directory) and is changed there. It doesn't matter whether it's used to connect to a single target device, or to many.
The use case is that, a Domain Admin account is used for administrative purpose, which can manage serverA and serverB and there are 5 users that can use this Domain Admin account. So how can we define the target account/credential for this purpose ? Assuming that, after each user had use the "Domain Admin" account, PAM will reset the password.
Note: We are referring to AD Domain account, not local admin on each win server.
Hi William, The standard way to pull AD accounts into PAM is to use the Active Directory target connector, see https://docops.ca.com/ca-privileged-access-manager/3-2/EN/reference/credential-manager-target-connector-settings/active-directory-target-connector. Then create a device group (or multiple groups) and define the device that the AD target application is associated with, as the credential source. This typically is a device representing a domain controller, or a DNS entry that resolves to a list of domain controllers. All devices in the device group can now use the AD target accounts. You can configure policies between individual users and this device group, or user groups and the device group, so that each user in the group can connect to any device in the device group using the same AD account. Please review PAM online documentation for details.
Thanks for the Info Ralf, we will try it.
in this scenario , that didn't work :
- user1 – is a normal domain account used to login into pam
- user1_admin - is a domain account , defined as target account with administrative privilege on two target devices
- server1,server2 – are target devices
If we set password change on connection end, after user1 close the session on server1, pam change the user1_admin password on ad BUT on pam the password saved in target account for user1->server2 is not synced, so the user1 cannot login on server2
How can we solve that problem ?
According to your description you have one domain account user1_admin. So there should be one and only one target account in PAM, and I explained above how you use a credential source for a device group to use the same target account for all devices in a group. You must not configure a second target account user1->server2.
Hi Ralf, thank you for reply
The link you posted says " The page you were trying to reach could not be found. The page does not exist or you do not have permissions to view the page. Navigate to the home page or try search to locate the content."
I've now created a group and then associated as credential source "Active Directory" , now if i want to create a target account, i need to specify a target device and target application that is possible to link only to a single device and not to a device group .
Also on a target application is possible to specify ONLY a target device and not target device group ...
What's the trick ?
Ralf, forget it, i've carefully read your previous post and solved the problem.
I've created a target account account_admin1 ON A active directory application (activedirectory type, that points to DC)
then assigned to a group of device with "credential source" = AD , and then created a policy for 1 user account1 to entire device group with the target account account_admin1
it works , thank you so much !!