It is possible:
The issue is that PAM wants both Parent (Management) and Child (Managed) Accounts to by of the same "TYPE"
You can accomplish this using Windows Proxy type of accounts.
you'll need a windows Proxy, at least 1 in each domain for testing purposes, more for scalability, load balance and fault tolerance.
Create a Proxy Application for each domain.
Onboard each AD Account as a Proxy Account linked to respective Proxy Application
Create a proxy application for each target member server/device
Onboard each Local Account as a Proxy Account linked to its respective Proxy Application
Set the Local Account to be Managed by the appropriate AD Account (of Type Windows Proxy)
------------------------------
Services Architect
HCL Technologies Ltd
------------------------------
Original Message:
Sent: 12-16-2019 06:35 AM
From: Jorghy Misnan
Subject: AD Account Manage Local Windows Credential
CA PAM v3.2.6
Is it possible to use Active Directory credential that is part of Administrators local group in Windows to manage password of other local credential?
I'm using "Active Directory" for parent account called bastion and "Windows Remote" for Administrator local credential.
------------------------------
Regards,
Jorghy
------------------------------