Symantec Privileged Access Management

Hi,

PAM Support team,
I need your help.

[Environment]
PAM Server 4.1.1
Windows A2A Client : 4.1.1

[Question]
I am testing Windows A2A client using sample(example64.ps1).
It is no problem.(working properly)
Then, I would like to change the password for the A2A user on Windows A2A client machine.
So I created a schedule job like this.
on PAM client:
Credentials->Manage Targets->Schedule Jobs
Schedule tab:
Job Name : TESTJOB for A2A
Time Zone: UTC
Recurremce: Daily
Time: 02:00:00
Repeat Only On Weekdays : no check

Account Details:
Command: Update Target Account Password
Account: Individual
Target Account: a2a_admin( This user is A2A target account)
Generate Password; Yes

For example:
Now : 2025/2/19 01:50:00 GMT

In this case, the schedule job should be run at 02:00:00 GMT.
As the result, the password of the A2A user(a2a_admin) was not changed.
However, the next rum time for the schedule job was 2025/02/20 09:0:00 GMT-0000.
So the schedule job seems to be run but there is no trace of the job in the tomcat log.
The tomcat log level is Finest.
Also, I checked Credential Manager Activities for "All A2A Client Re4quests in Lat 30 Days".
However, it was not count up.

Question1:
Can we use schedule job to change the A2A user password?
If it is possible, do you know why the user password is not changed?
Do I have something wrong with the settings, etc?

Question2:
Where should the trace log for scheduled job of A2A user be listed?

Best regards,
Marubun

Hello, A2A functionality is not related to target account password update activities. When a scheduled job runs, you will find an entry in the Scheduled Jobs report, which you can access from the Credentials > Reports > Run page. For each synchronized target account in the job there will be in entry in the Account Passwords Update Attempts report found on the same page. Target accounts that are not configured to be synchronized will not be updated by a scheduled job. Whether an account is of type A2A or of type Privileged does not matter for scheduled jobs. The A2A type just makes the account eligible for A2A calls.

Hi,

PAM Support team,
I need your help.

[Environment]
PAM Server 4.1.1
Windows A2A Client : 4.1.1

[Question]
I am testing Windows A2A client using sample(example64.ps1).
It is no problem.(working properly)
Then, I would like to change the password for the A2A user on Windows A2A client machine.
So I created a schedule job like this.
on PAM client:
Credentials->Manage Targets->Schedule Jobs
Schedule tab:
Job Name : TESTJOB for A2A
Time Zone: UTC
Recurremce: Daily
Time: 02:00:00
Repeat Only On Weekdays : no check

Account Details:
Command: Update Target Account Password
Account: Individual
Target Account: a2a_admin( This user is A2A target account)
Generate Password; Yes

For example:
Now : 2025/2/19 01:50:00 GMT

In this case, the schedule job should be run at 02:00:00 GMT.
As the result, the password of the A2A user(a2a_admin) was not changed.
However, the next rum time for the schedule job was 2025/02/20 09:0:00 GMT-0000.
So the schedule job seems to be run but there is no trace of the job in the tomcat log.
The tomcat log level is Finest.
Also, I checked Credential Manager Activities for "All A2A Client Re4quests in Lat 30 Days".
However, it was not count up.

Question1:
Can we use schedule job to change the A2A user password?
If it is possible, do you know why the user password is not changed?
Do I have something wrong with the settings, etc?

Question2:
Where should the trace log for scheduled job of A2A user be listed?

Best regards,
Marubun

Hi Ralf-san,

Thak you for your update.

Just to be sure, please let me ask you some questions.

Q1)
My schedule job is "Daily" and Time: 02:00:00.
I thinkk that the "Daily" means it executed only once a day.
For my test, 
Can I change just the "Time" field for that job multiple times?
Also, if the schedule job is already executed once with daily, will the schedule job not be executed even if the "Time" is changed?

Q2)
Should the trace for schedule job be listed as a tomcat log?

Best regards,
Marubun

Hello, A2A functionality is not related to target account password update activities. When a scheduled job runs, you will find an entry in the Scheduled Jobs report, which you can access from the Credentials > Reports > Run page. For each synchronized target account in the job there will be in entry in the Account Passwords Update Attempts report found on the same page. Target accounts that are not configured to be synchronized will not be updated by a scheduled job. Whether an account is of type A2A or of type Privileged does not matter for scheduled jobs. The A2A type just makes the account eligible for A2A calls.

Hi,

PAM Support team,
I need your help.

[Environment]
PAM Server 4.1.1
Windows A2A Client : 4.1.1

[Question]
I am testing Windows A2A client using sample(example64.ps1).
It is no problem.(working properly)
Then, I would like to change the password for the A2A user on Windows A2A client machine.
So I created a schedule job like this.
on PAM client:
Credentials->Manage Targets->Schedule Jobs
Schedule tab:
Job Name : TESTJOB for A2A
Time Zone: UTC
Recurremce: Daily
Time: 02:00:00
Repeat Only On Weekdays : no check

Account Details:
Command: Update Target Account Password
Account: Individual
Target Account: a2a_admin( This user is A2A target account)
Generate Password; Yes

For example:
Now : 2025/2/19 01:50:00 GMT

In this case, the schedule job should be run at 02:00:00 GMT.
As the result, the password of the A2A user(a2a_admin) was not changed.
However, the next rum time for the schedule job was 2025/02/20 09:0:00 GMT-0000.
So the schedule job seems to be run but there is no trace of the job in the tomcat log.
The tomcat log level is Finest.
Also, I checked Credential Manager Activities for "All A2A Client Re4quests in Lat 30 Days".
However, it was not count up.

Question1:
Can we use schedule job to change the A2A user password?
If it is possible, do you know why the user password is not changed?
Do I have something wrong with the settings, etc?

Question2:
Where should the trace log for scheduled job of A2A user be listed?

Best regards,
Marubun

Hello, Whenever you make a change to a scheduled job, you have to select a future time as next run time. It will overwrite the previous next run time. We do that for testing purposes to run a job multiple times within minutes. But if you have a use case where you want to verify or update accounts multiple times per day, you would configure multiple jobs for the same accounts or target groups, running at different times in the day.

To see messages in the tomcat log when jobs start and end, you would want to set the tomcat log level to Fine. In a cluster the job will be submitted by one node in the primary site, typically but not necessarily the first node in the primary site. The other primary site nodes will participate in the job, if it acts on multiple target accounts. Generally the reports I mentioned are a better option to check on job activity. The logs are of interest, if there are failures within the job. If you use a log level of Info or higher, the tomcat log is likely to rotate every hour (at 17 minutes past the hour) and the UI only allows you to download the current log. You would need to engage PAM Support to review older tomcat logs.

Hi Ralf-san,

Thak you for your update.

Just to be sure, please let me ask you some questions.

Q1)
My schedule job is "Daily" and Time: 02:00:00.
I thinkk that the "Daily" means it executed only once a day.
For my test, 
Can I change just the "Time" field for that job multiple times?
Also, if the schedule job is already executed once with daily, will the schedule job not be executed even if the "Time" is changed?

Q2)
Should the trace for schedule job be listed as a tomcat log?

Best regards,
Marubun

Hello, A2A functionality is not related to target account password update activities. When a scheduled job runs, you will find an entry in the Scheduled Jobs report, which you can access from the Credentials > Reports > Run page. For each synchronized target account in the job there will be in entry in the Account Passwords Update Attempts report found on the same page. Target accounts that are not configured to be synchronized will not be updated by a scheduled job. Whether an account is of type A2A or of type Privileged does not matter for scheduled jobs. The A2A type just makes the account eligible for A2A calls.

Hi,

PAM Support team,
I need your help.

[Environment]
PAM Server 4.1.1
Windows A2A Client : 4.1.1

[Question]
I am testing Windows A2A client using sample(example64.ps1).
It is no problem.(working properly)
Then, I would like to change the password for the A2A user on Windows A2A client machine.
So I created a schedule job like this.
on PAM client:
Credentials->Manage Targets->Schedule Jobs
Schedule tab:
Job Name : TESTJOB for A2A
Time Zone: UTC
Recurremce: Daily
Time: 02:00:00
Repeat Only On Weekdays : no check

Account Details:
Command: Update Target Account Password
Account: Individual
Target Account: a2a_admin( This user is A2A target account)
Generate Password; Yes

For example:
Now : 2025/2/19 01:50:00 GMT

In this case, the schedule job should be run at 02:00:00 GMT.
As the result, the password of the A2A user(a2a_admin) was not changed.
However, the next rum time for the schedule job was 2025/02/20 09:0:00 GMT-0000.
So the schedule job seems to be run but there is no trace of the job in the tomcat log.
The tomcat log level is Finest.
Also, I checked Credential Manager Activities for "All A2A Client Re4quests in Lat 30 Days".
However, it was not count up.

Question1:
Can we use schedule job to change the A2A user password?
If it is possible, do you know why the user password is not changed?
Do I have something wrong with the settings, etc?

Question2:
Where should the trace log for scheduled job of A2A user be listed?

Best regards,
Marubun