Symantec Privileged Access Management

Hello everyone,

What are the necessary permissions/configurations that we need to have on an endpoint in order to be able to discover local accounts and the services they manage? At some of the remote endpoints that i have tried doing account discovery it worked(but it doesn't return any services), and at other times in account discovery logs it says -2147024891- ERROR_ACCESS_DENIED.

Firewall is not an issue, it has the same ports opened for the devices that don't work like the devices that work, and the account that we use for the discovery has the same permission on all servers. Version of the appliance is 3.2.2

Best regards,

Nikola

Hello Nikola, In general the requirements listed in "Prerequisites for Using the Windows Remote Connector" on page https://docops.ca.com/ca-privileged-access-manager/3-2-2/EN/implementing/protect-privileged-account-credentials/identify-target-applications-and-connectors/add-a-windows-remote-target-connector should be sufficient for remote account management using the Windows Proxy as well. The question is what account you are using to do the discovery. Can you clarify that?

Hi Ralf,

Thank you for the quick reply. The account is a local admin on the remote Windows endpoint, but it is strange that i can manage the account password just fine, but when i do a discovery with that account it says "ACCESS DENIED".

I will look into these permissions when i have time, but i am not sure if that might be the issue.

Best regards,

Nikola

The Windows Proxy log cspmclient\log\cspm_client_log.txt should contain the access denied message. This gives you the time stamp to check on Windows Event logs on the target device, specifically the Security logs. They should give you information on why the logon was denied. Look for any mismatch in account or domain name if it's not a permissions issue.