Symantec Privileged Access Management

Hello,

Scenario:

Managing 100 unix credentials
I intend on using a password composition policy which enforces maximum password age at 45 days
Password view policy will change the credential passsword upon connection end.

At the end of the 44 days, there are 80 credentials which were not used in that time period, and thus the password for those are about to expire in PAM. 

Is there a way to run a scheduled password change (lets say every 40 days) on ONLY those credentials which are about to expire (before they expire)?

if not, what is the best practice to avoid unused credentials expiring in PAM?

Thanks

Hi Chris, When the "Automatically Update Expired Passwords" flag is set under General Settings on the Settings > Credential Manager page, PAM will do this automatically, you don't have to worry about it. Just make sure the maximum password age in PAM is smaller than the maximum password age on the credential source to prevent the accounts from expiring in the credential source.
Original Message:
Sent: 03-05-2020 10:51 AM
From: Chris Scott
Subject: Verifying procedure to change passwords for only expired accounts

Hello,

Scenario:

Managing 100 unix credentials
I intend on using a password composition policy which enforces maximum password age at 45 days
Password view policy will change the credential passsword upon connection end.

At the end of the 44 days, there are 80 credentials which were not used in that time period, and thus the password for those are about to expire in PAM.

Is there a way to run a scheduled password change (lets say every 40 days) on ONLY those credentials which are about to expire (before they expire)?

if not, what is the best practice to avoid unused credentials expiring in PAM?

Thanks

Hi Ralf,

How often PAM checks target account for password synchronization ?  Can we schedule a daily , weekly or monthly password synchronization check ?

Regards
Pankaj Kumar
Original Message:
Sent: 03-05-2020 11:32 AM
From: Ralf Prigl
Subject: Verifying procedure to change passwords for only expired accounts

Hi Chris, When the "Automatically Update Expired Passwords" flag is set under General Settings on the Settings > Credential Manager page, PAM will do this automatically, you don't have to worry about it. Just make sure the maximum password age in PAM is smaller than the maximum password age on the credential source to prevent the accounts from expiring in the credential source.
Original Message:
Sent: 03-05-2020 10:51 AM
From: Chris Scott
Subject: Verifying procedure to change passwords for only expired accounts

Hello,

Scenario:

Managing 100 unix credentials
I intend on using a password composition policy which enforces maximum password age at 45 days
Password view policy will change the credential passsword upon connection end.

At the end of the 44 days, there are 80 credentials which were not used in that time period, and thus the password for those are about to expire in PAM.

Is there a way to run a scheduled password change (lets say every 40 days) on ONLY those credentials which are about to expire (before they expire)?

if not, what is the best practice to avoid unused credentials expiring in PAM?

Thanks

Hello,

There are three steps to this
1. Create a Target Group (Credentials => Manage Targets => Target Groups)

Name	<target group name>
Description	All credentials managed by application <application>
Type	Dynamic
Server Filters	N/A
Application Filters	Application Name equals <application name>
Account Filters	N/A

2. Add a scheduled Job (Credentials => Manage Targets => Scheduled Jobs)

Schedule – Job Name	Verify Synchronized Account Passwords
Schedule – Tome Zone	UTC
Schedule – Date/Time	Set at specific time of date (in future)
Schedule – Recurrence	Daily
Account Details – Command	Verify Account Password
Account Details – Account	Target Group
Account Details – Target Group	<target group name>
Account Details – Accounts	All

3. Add a Report (Credentials => Reports => Scheduled Jobs)

Schedule – Job Name	Accounts UnSynchronized
Schedule – Tome Zone	UTC
Schedule – Date/Time	Set at specific time of date (in future)
Schedule – Recurrence	Daily
Report Details – Report Name	Accounts with Incorrect Passwords
Report Details – Output Format	CSV
Report Details – Recipients	(id of administrator)

Original Message:
Sent: 03-19-2020 09:17 AM
From: Pankaj Kumar
Subject: Verifying procedure to change passwords for only expired accounts

Hi Ralf,

How often PAM checks target account for password synchronization ?  Can we schedule a daily , weekly or monthly password synchronization check ?

Regards
Pankaj Kumar
Original Message:
Sent: 03-05-2020 11:32 AM
From: Ralf Prigl
Subject: Verifying procedure to change passwords for only expired accounts

Hi Chris, When the "Automatically Update Expired Passwords" flag is set under General Settings on the Settings > Credential Manager page, PAM will do this automatically, you don't have to worry about it. Just make sure the maximum password age in PAM is smaller than the maximum password age on the credential source to prevent the accounts from expiring in the credential source.
Original Message:
Sent: 03-05-2020 10:51 AM
From: Chris Scott
Subject: Verifying procedure to change passwords for only expired accounts

Hello,

Scenario:

Managing 100 unix credentials
I intend on using a password composition policy which enforces maximum password age at 45 days
Password view policy will change the credential passsword upon connection end.

At the end of the 44 days, there are 80 credentials which were not used in that time period, and thus the password for those are about to expire in PAM.

Is there a way to run a scheduled password change (lets say every 40 days) on ONLY those credentials which are about to expire (before they expire)?

if not, what is the best practice to avoid unused credentials expiring in PAM?

Thanks

Hi Pankaj, Scott answered your question about the synchronization check == report. The expired password processor runs every 12 hours. In a cluster it does this on each primary site node, not on secondary site nodes.
Original Message:
Sent: 03-19-2020 09:17 AM
From: Pankaj Kumar
Subject: Verifying procedure to change passwords for only expired accounts

Hi Ralf,

How often PAM checks target account for password synchronization ?  Can we schedule a daily , weekly or monthly password synchronization check ?

Regards
Pankaj Kumar
Original Message:
Sent: 03-05-2020 11:32 AM
From: Ralf Prigl
Subject: Verifying procedure to change passwords for only expired accounts

Hi Chris, When the "Automatically Update Expired Passwords" flag is set under General Settings on the Settings > Credential Manager page, PAM will do this automatically, you don't have to worry about it. Just make sure the maximum password age in PAM is smaller than the maximum password age on the credential source to prevent the accounts from expiring in the credential source.
Original Message:
Sent: 03-05-2020 10:51 AM
From: Chris Scott
Subject: Verifying procedure to change passwords for only expired accounts

Hello,

Scenario:

Managing 100 unix credentials
I intend on using a password composition policy which enforces maximum password age at 45 days
Password view policy will change the credential passsword upon connection end.

At the end of the 44 days, there are 80 credentials which were not used in that time period, and thus the password for those are about to expire in PAM.

Is there a way to run a scheduled password change (lets say every 40 days) on ONLY those credentials which are about to expire (before they expire)?

if not, what is the best practice to avoid unused credentials expiring in PAM?

Thanks

@Chris Scott 

Thanks for quick information . I will try and let you know the results .

@Ralf Prigl​ - So the expired password processor runs every 12 hours automatically When the "Automatically Update Expired Passwords" flag is set under General Settings on the Settings > Credential Manager page ?
​​
Original Message:
Sent: 03-19-2020 09:59 AM
From: Ralf Prigl
Subject: Verifying procedure to change passwords for only expired accounts

Hi Pankaj, Scott answered your question about the synchronization check == report. The expired password processor runs every 12 hours. In a cluster it does this on each primary site node, not on secondary site nodes.
Original Message:
Sent: 03-19-2020 09:17 AM
From: Pankaj Kumar
Subject: Verifying procedure to change passwords for only expired accounts

Hi Ralf,

How often PAM checks target account for password synchronization ?  Can we schedule a daily , weekly or monthly password synchronization check ?

Regards
Pankaj Kumar
Original Message:
Sent: 03-05-2020 11:32 AM
From: Ralf Prigl
Subject: Verifying procedure to change passwords for only expired accounts

Hi Chris, When the "Automatically Update Expired Passwords" flag is set under General Settings on the Settings > Credential Manager page, PAM will do this automatically, you don't have to worry about it. Just make sure the maximum password age in PAM is smaller than the maximum password age on the credential source to prevent the accounts from expiring in the credential source.
Original Message:
Sent: 03-05-2020 10:51 AM
From: Chris Scott
Subject: Verifying procedure to change passwords for only expired accounts

Hello,

Scenario:

Managing 100 unix credentials
I intend on using a password composition policy which enforces maximum password age at 45 days
Password view policy will change the credential passsword upon connection end.

At the end of the 44 days, there are 80 credentials which were not used in that time period, and thus the password for those are about to expire in PAM.

Is there a way to run a scheduled password change (lets say every 40 days) on ONLY those credentials which are about to expire (before they expire)?

if not, what is the best practice to avoid unused credentials expiring in PAM?

Thanks

Yes, it does.
Original Message:
Sent: 03-19-2020 10:57 AM
From: Pankaj Kumar
Subject: Verifying procedure to change passwords for only expired accounts

@Chris Scott

Thanks for quick information . I will try and let you know the results .

@Ralf Prigl​ - So the expired password processor runs every 12 hours automatically When the "Automatically Update Expired Passwords" flag is set under General Settings on the Settings > Credential Manager page ?
​​
Original Message:
Sent: 03-19-2020 09:59 AM
From: Ralf Prigl
Subject: Verifying procedure to change passwords for only expired accounts

Hi Pankaj, Scott answered your question about the synchronization check == report. The expired password processor runs every 12 hours. In a cluster it does this on each primary site node, not on secondary site nodes.
Original Message:
Sent: 03-19-2020 09:17 AM
From: Pankaj Kumar
Subject: Verifying procedure to change passwords for only expired accounts

Hi Ralf,

How often PAM checks target account for password synchronization ?  Can we schedule a daily , weekly or monthly password synchronization check ?

Regards
Pankaj Kumar
Original Message:
Sent: 03-05-2020 11:32 AM
From: Ralf Prigl
Subject: Verifying procedure to change passwords for only expired accounts

Hi Chris, When the "Automatically Update Expired Passwords" flag is set under General Settings on the Settings > Credential Manager page, PAM will do this automatically, you don't have to worry about it. Just make sure the maximum password age in PAM is smaller than the maximum password age on the credential source to prevent the accounts from expiring in the credential source.
Original Message:
Sent: 03-05-2020 10:51 AM
From: Chris Scott
Subject: Verifying procedure to change passwords for only expired accounts

Hello,

Scenario:

Managing 100 unix credentials
I intend on using a password composition policy which enforces maximum password age at 45 days
Password view policy will change the credential passsword upon connection end.

At the end of the 44 days, there are 80 credentials which were not used in that time period, and thus the password for those are about to expire in PAM.

Is there a way to run a scheduled password change (lets say every 40 days) on ONLY those credentials which are about to expire (before they expire)?

if not, what is the best practice to avoid unused credentials expiring in PAM?

Thanks