Symantec Privileged Access Management

Hello

I have CA PIM 12.9 , with endpoint installed on the environment (window/unix/aix)

I update the environment for the windows servers with account on all server via csv feed , this happened couple months ago, with not change the password on check in. (the password is fixed for the time being)

then week ago , I found that most account is having flag of "Is Endpoint Administrator" which I didn't set at the beginning

how can I remove this , because when the users need to check this account out , they received the error msg

"Cannot check out privileged account: pamadmin since its password was never initialized"

and the RDP session of course show "internal error"

can any body help

Message was edited by: Wael wahab

Good morning. Are your end points defined as AC for PUPM or as respective non-agent based endpoint type(Windows agentless/SSH device)? By default if you've created a non-agent based endpoint when you create the endpoint the initial account associated to that endpoint is the administrator account. If the message you're getting is password not initialized, this means the account was loaded but a password was not stored.

Hi

yes, all those endpoint at defined AC for PUPM .

and most of those endpoint are having that account as the only account discovered for them in the CA PIM.

back to that error, how may i be sure that the password stored correctly, i can upload the feed file again which is the password stored in it, the account name and password  are unifined for all endpoints now.

Thanks

Can you post the header line of your feeder file and the first account line, excluding the password? Loading the account, if you want to retain that as a static password, should have the account set as disconnected and NEW_PASSWORD should be populated with your initial password.

Hi

here is you may find attached a sample of the csv format which i used to enter the accounts

wael,

Not seeing an attachment in your post. Few other questions just to help frame up and hopefully get you to resolution. Assuming you have the PIM Agent deployed on the endpoints and the endpoint creation occurred with the automatic registration or did you create the endpoints via feeder/manually? Also if you perform Import Account Wizard are you able to browse accounts on your target endpoints? Just want to ensure everything is communicating accordingly.

Hi Adam

i attached the csv in my previous reply, and i will attach it again with the main post.

to reply your questions:

the endpoint are created automatically as the PIM agent installed on every one of these servers.

the account was created via feed (in order to keep the original password during this phase.

i am able to browse all accounts on the endpoint, but we use the feed method to create for two reasons:

1- if we add the account using the discovery, the password must be initialized at least once and changed randomly on each server, and this is not required at this stage.

2- it's about 160 windows server, so manually adding for each server is time consuming.

Wael,

I was able to utilize your feed file on my environment, albeit modify the endpoint name and was able to successfully import an account and I'm retrieving a password. With the accounts already being defined within your solution, I'd only be guessing why initially the password didn't store in the DB when initially loaded. To quickly get back to a working state:

1. Click WorldView -> View -> Shared Accounts -> Uncheck Show only failures and click Search

2. Click Accounts to get a CSV export of exactly how the accounts are defined within SAM today

3. Update applicable fields as needed within the CSV (including NEW_PASSWORD)

4. Import through GUI or WaitingToBeProcessed folder

5. Check System Audit messages for errors processing the feeder file

The only time I got an error was when I had a Modify vs Create in my feeder as the Modify Action looks for the account with the applicable Namespace and Container which didn't exist yet.

Hello Adam

I am working as your advice ,, I pickup an account which is having this problem.

search for it in Password history , it shows at the date of creation PASSWORD_NOT_INITIALIZED

however I tried to manual reset the password and enter the correct password , and the password history shows it correctly, but when trying to user Proxy_RDP ,, it returns with connection error :

The Target server encountered an error and has closed the connection. Please try again or contact your system  administrator

I tried to log via windows RDP and everything goes right with the same user and password...

that's weird a little bit.

do you have any idea why that happened ?!

best regards

Wael,

Plus side we're getting you closer and over at least one hurdle. Now we're looking one of likely two conditions. connectivity to the endpoint from the Proxy server, or the logon information in how its getting passed. Do you have 3389 connectivity from the Proxy server to the target endpoint? For the logon information, on your endpoint is the proper NETBIOS name populated on the endpoint?

Adam,

as the project time was limited to activate this feature (proxy RDP ) on all windows endpoints

I had to remove the endpoint (SAM endpoint) and add them and the account manually they were about 90 endpoints, it took time but slow and sure was better solution than fast with issues.

thanks for your help ,

I know that I might face this feed file configuration again when adding an variable with the account or endpoint , but I guess it is not now.

thanks for your help , have a good day