Symantec Privileged Access Management

 View Only
  • 1.  Active Directory service account for all Windows Remote local accounts

    Posted Apr 06, 2020 01:28 AM
    Hello everyone,

    Does anyone have suggestions how to rotate the password of local windows accounts on multiple servers using Windows Remote connector by using only one Active Directory account? This account is a member of administrator group on all the Windows Servers that will have the passwords managed.

    In version 3.3.1 we have to create the same Active Directory administrator user for all the Windows Remote target applications that we want to use, as we cannot use one already created for an existing Windows Remote application on different server. Which means for each server we need to create, for example, adadministrator as one account and localuser account as the other, thus having 2 accounts per each Windows Remote target application instead of only the localuser account.

    Best regards,
    Nikola


  • 2.  RE: Active Directory service account for all Windows Remote local accounts

    Broadcom Employee
    Posted Apr 06, 2020 04:02 AM

    Hello Nikola

     

    If I understand correctly you basically basically want to have the same password on all the local box'  Administrator account as well as the Domain Administrator account, right?

     

    You could form a Target Group of the different kinds of Target Accounts and run a Scheduled Job to update all with the same password.

     

    Best Regards,

    Andreas

     






  • 3.  RE: Active Directory service account for all Windows Remote local accounts

    Broadcom Employee
    Posted Apr 06, 2020 10:05 AM
    Hi Nikola, The AD account should be configured in PAM with a separate target application, e.g. of type Active Directory. You should be able to use this one common target account to manage your multiple Windows Remote target accounts. You may have to define the account name in PAM as <accountname>@<domain>, I don't have a test setup to check on this right now. Note that when you search for another account to manage your new account, there is a default filter limiting the search to the same target application type, but you can change that.


  • 4.  RE: Active Directory service account for all Windows Remote local accounts

    Posted Apr 06, 2020 11:53 AM
    Hi everyone,

    Thank you for the quick response. I tried to place Active Directory administrator(the service account used to rotate the passwords) to be a change process credential for a Windows Remote local account, but it gives the following error:


    Do you know if there is another way to manage this? I can only see it as adding the same account to each Windows Remote Target Applications besides the local account.

    Best regards,


  • 5.  RE: Active Directory service account for all Windows Remote local accounts

    Broadcom Employee
    Posted Apr 06, 2020 12:13 PM
    In that case the only alternative I can think of is to get away from the Windows Remote target connector and use a Windows Proxy target application. You can run the Windows Proxy on one host, use the domain account to run the proxy service, and then select to use proxy credentials to update the accounts.


  • 6.  RE: Active Directory service account for all Windows Remote local accounts
    Best Answer

    Broadcom Employee
    Posted Apr 06, 2020 02:19 PM
    Another option I would try is to define a second Remote Windows target application on one of the devices, or on a domain controller device, configure it to manage domain accounts rather than local accounts, and then define your domain account for that target application. This would meet the requirement of having the same target application type.


  • 7.  RE: Active Directory service account for all Windows Remote local accounts

    Posted Apr 07, 2020 06:23 AM
    Hi Ralf,

    Need your help here . I am trying to managed access and password for a windows remote target local admin account .I am able to access the server perfectly , however password is not getting rotated  . I have already opened a case for the issue . Case#31823027 , can you have a look at that ?




  • 8.  RE: Active Directory service account for all Windows Remote local accounts

    Broadcom Employee
    Posted Apr 07, 2020 10:45 AM
    Hi Pankaj, If you have a support case open already, please communicate through the support case. Once it is resolved you can post the resolution here. Thanks, Ralf