Layer7 Privileged Access Management

Expand all | Collapse all

Windows Target Connector and Account Discovery

Jump to Best Answer
  • 1.  Windows Target Connector and Account Discovery

    Posted 07-23-2018 12:18 PM

    Is it possible to discover only accounts in a certain group, for example administrators group when using the Windows Target connector to discover local accounts?  The Account Discovery tab in the Target Application only allows one to specify a list of accounts to discover.   If I'm looking for unknown accounts that could be in the Administrators group would be more useful than specifying a known list of accounts. 



  • 2.  Re: Windows Target Connector and Account Discovery
    Best Answer

    Posted 08-08-2018 09:59 PM

    Hello John, Sorry for the delayed response. PAM does not have this feature at present. Group filters are only available for the Active Directory target connector and therefore for domain accounts, not for local Windows accounts. Feel free to raise an idea for an enhancement here.



  • 3.  Re: Windows Target Connector and Account Discovery

    Posted 11-27-2018 08:47 PM

    Hi Ralf

     

     

    You have some procedure or document on how to include the domain controller certificate in PAM, this is based on the fact that I am trying to synchronize and change the password of a domain account, but I get the following error:

    Nov 28, 2018 1:34:19 AM com.ca.pam.rest.PAUtil generateExceptionFromAppCtx
    SEVERE: PAM-CM-0759: Failed to verify password with target. If this problem persists then please ask your Administrator to investigate.
    Nov 28, 2018 1:35:14 AM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
    SEVERE: Failed authentication to Active Directory using account 'thomas.guaman'
    com.cloakware.cspm.server.app.ApplicationException: PAM-CM-3433: Certificate can not be retrieved from the domain controller

     

    I thank you if you have any document or link about it



  • 4.  Re: Windows Target Connector and Account Discovery

    Posted 11-28-2018 11:17 AM

    Hi Julian, I believe you raised the exact same question in thread https://communities.ca.com/thread/241788857-is-it-possible-to-rest-a-users-active-directory-in-pam, and we responded there already.