Symantec Privileged Access Management

 View Only

Tech Tip - CA Privileged Identity Manager: Locked out from your DMS__?!

  • 1.  Tech Tip - CA Privileged Identity Manager: Locked out from your DMS__?!

    Posted Jul 27, 2015 01:16 PM

    Employers are always making changes within their company.  Employees come and go throughout a tenure of a business. They can find different opportunities, or they were fired.  Unfortunately, it can be an individual who has the only access to the Deployment Map Server of this software solution. And chances are, if that person is fired, they may never feel inclined to tell their IT buddies what the credentials were to access the DMS__.


    1.) Create a Master PMDB named TEST on any system besides the problematic DMS__:

    AC> env pmd

    AC(pmd)> createPMD TEST


    Successfully created PMD TEST


    2.) Add a subscriber, in this case the DMS__ from the Enterprise Management, to the Master PMDB TEST:

    AC(pmd)> subs TEST subs(DMS__@mymachine-U147653)


    Successfully subscribed DMS__@mymachine-U147653 to TEST


    3.) Verify the DMS__ is seen as a subscriber to the Master PMDB TEST:

    C:\Users\Administrator> sepmd -L TEST

    CA ControlMinder sepmd v12.80.1432 - Policy Model management Copyright (c) 2013 CA. All rights reserved.


    Initial offset: 0

    Last offset: 0


    Subscriber Errors Flag Offset Next command ========== ======= ====== ======= ============ 0 0


    So, the master PMDB has been created, 'TEST' - and we subscribed it to the DMS__ on the Enterprise Management server.


    4.) Now, we need to do a regedit on the DMS__ server, go to HKEY_LOCAL_MACHINE -> SOFTWARE -> ComputerAssociates -> AccessControl -> Pmd -> DMS__ -> Parent_Pmd = TEST@hostname_of_server


    5.) Go back to the Master PMDB, and host into it:



    Target host: localhost

    CA ControlMinder selang v12.80.1432 - CA ControlMinder command line interpreter Copyright (c) 2013 CA. All rights reserved.


    AC> host TEST@


    Successfully connected


    6.) Push out an admin user being created into the DMS__ so you can access it:

    AC> eu username password(password_here) admin


    7.) Verify that the DMS__ does in fact see the user you just added, so go back to your DMS__ server:

    AC> host DMS__@


    Successfully connected


    INFO: Target host's version is 12.80.1432


    Windows OS info: Windows NT Version:6.1, Service Pack 1

    07 Jul 2015 16:22:05 Eastern Daylight Time


    AC> su EricGomes


    Data for USER 'EricGomes'


    User mode : Admin

    Audit mode : Login-Success, Failure, Login-Failure Owner : mymachine-U147654\Administrator (USER) Gracelogins : 1 Admin Pwd change : 07-Jul-2015 16:21 Pwd changed by : mymachine-U147654\Administrator (USER) Create time : 07-Jul-2015 16:21 Update time : 07-Jul-2015 16:21 Updated by : mymachine-U147654\Administrator (USER)

    Edit | Del | Make Public Not Checked Created By: Eric Gomes (7/7/2015 4:17 PM)


    I am now logged into the DMS__ as an administrator.  There is also one other method that can be used if the PMDB architecture is uncooperative.


    Create a native user named, 'ac_entm_pers', and give it a password within Windows.  This will replicate the logical user who has access within the DMS__ so we can fool the rules by allowing a logical user to login.  Once you are in the DMS__, you can add the appropriate users and groups to have access to the DMS__.