Symantec Privileged Access Management

 How to get last password reset date through CLI command.

Jump to Best Answer
posted 05-05-2021 11:00 AM
Hi Team,

There is a functionality to update in Password Composition Policy to set the password expiry date. Once set that accounts tagged to respective application with that PCP should get automatically reset after like say 60 days. which is not happening.
We would like to check the list of accounts which are expired for that we need to know the last password reset timestamp and how do we do that in CLI command.

Thanks and Regards,
Guru
Broadcom Employee Best Answer
Hello Guru, See documentation page https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-3/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/getmostrecentpasswordhistory.html
As pointed out there, you use the searchTargetAccount command to get IDs of accounts. If run w/o arguments, the command will return all accounts, and you can extract the account ID.

./capam_command -n <mypamhost> -u super -p <mysuperpwd> cmdName=searchTargetAccount TargetAccount.userName=mytargetaccount
<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>400</cr.statusCode><cr.statusDescription>Success.</cr.statusDescription><cr.result><TargetAccount><userName>mytargetaccount</userName>....<ID>5001</ID></TargetAccount></cr.result></CommandResult>

./capam_command -n <mypamhost> -u super -p <mysuperpwd> cmdName=getMostRecentPasswordHistory TargetAccount.ID=5001
<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>400</cr.statusCode><cr.statusDescription>Success.</cr.statusDescription><cr.result><AccountHistory><userName>mytargetaccount</userName><accountID>5001</accountID>...<createDate>Thu Mar 25 23:46:45 UTC 2021</createDate>...</AccountHistory></cr.result></CommandResult>