Symantec Privileged Access Management

 View Only
  • 1.  Windows account onboarding

    Posted Apr 01, 2020 08:04 AM
    Hello Team,
     We have our servers in AD and these server do not have local accounts but domain accounts.And we have around 4000 servers and 40 domain admin accounts in each server.And this same domain account is used for 4000 servers.So while adding account in PAM do i have to add a account for each server(1*4000).And what if password is changed for one server.The accounts for others server in PAM will be in sync?

    Please suggest a solution for this.

    Regards,
    Inbaselvan R
    .


  • 2.  RE: Windows account onboarding
    Best Answer

    Broadcom Employee
    Posted Apr 01, 2020 08:38 AM
    Hi Inbaselvan,

    In this use case since they are domain accounts you will be using the Active Directory application type. This will mean adding these 40 domain admin accounts into PAM.  Since the password changes are on the domain account, it will be seamless no matter which server is being accessed using these credentials (remember, the accounts are on the domain level, not on the local server, and authenticate through AD). 

    See http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/implementing/protect-privileged-account-credentials/identify-target-applications-and-connectors/add-an-active-directory-target-connector.html for more information on the AD Target Connector.

    Thanks,
    Mike

    ------------------------------
    Mike Berthold
    Solution Architect
    ------------------------------



  • 3.  RE: Windows account onboarding

    Posted Apr 06, 2020 07:58 AM
    Thanks Mike.This will clearly reduce the burden. One more question is we have AD account for PAM admin with read access and this account is added to the local admin group of the server. Can this account change the password of these 40 accounts. Or do we need to provide admin access on the domain level for the PAM account.

    Regards,
    Inbaselvan R


  • 4.  RE: Windows account onboarding

    Broadcom Employee
    Posted Apr 06, 2020 09:15 AM
    Hi Inbaselvan,

    Referring to the documentation for the AD account being used for administration:

    • Use a target account with sufficient privileges to reset other Active Directory users passwords.
      The target account that is associated with the Active Directory Administrator must have sufficient privileges to reset the passwords of imported Active Directory users. Otherwise, the imported user cannot change a password that becomes invalid. On the Active Directory Server, grant the minimal privileges to the account to reset passwords by issuing the following command or its UI equivalent:
      dsacls "%DN%" /I:S /G "%user_domain%\xsuiteLookup:CA;Reset Password;user"
    • DN is the Distinguished Name for the domain, for example: 
      DC=exampledomain,DC=com 
    • user_domain
       is the short name for the Windows domain
    • xsuiteLookup
       is the account Username
    From http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/how-to-set-up-ldap-servers-for-user-authentication/how-to-configure-active-directory-for-user-authentication.html#concept.dita_e866d335f5e852d16ad4ab73a725bee51831034f_ADpasswordupdatingActiveDirectoryPasswordUpdates

    Thanks,
    Mike

    ------------------------------
    Mike Berthold
    Solution Architect
    ------------------------------



  • 5.  RE: Windows account onboarding

    Posted Apr 06, 2020 09:36 AM
    Thanks Mike.