Symantec Privileged Access Management

Is it possible to discover only accounts in a certain group, for example administrators group when using the Windows Target connector to discover local accounts?  The Account Discovery tab in the Target Application only allows one to specify a list of accounts to discover.   If I'm looking for unknown accounts that could be in the Administrators group would be more useful than specifying a known list of accounts. 

Hello John, Sorry for the delayed response. PAM does not have this feature at present. Group filters are only available for the Active Directory target connector and therefore for domain accounts, not for local Windows accounts. Feel free to raise an idea for an enhancement here.

Hi Ralf

You have some procedure or document on how to include the domain controller certificate in PAM, this is based on the fact that I am trying to synchronize and change the password of a domain account, but I get the following error:

Nov 28, 2018 1:34:19 AM com.ca.pam.rest.PAUtil generateExceptionFromAppCtx
SEVERE: PAM-CM-0759: Failed to verify password with target. If this problem persists then please ask your Administrator to investigate.
Nov 28, 2018 1:35:14 AM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'thomas.guaman'
com.cloakware.cspm.server.app.ApplicationException: PAM-CM-3433: Certificate can not be retrieved from the domain controller

I thank you if you have any document or link about it

Hi Julian, I believe you raised the exact same question in thread https://communities.ca.com/thread/241788857-is-it-possible-to-rest-a-users-active-directory-in-pam, and we responded there already.