Symantec Privileged Access Management

 View Only
  • 1.  WIndows domain account discovery

    Posted Mar 26, 2020 06:33 AM

    Hello Team,
    Using Account discovery, we are able to discover the Windows local accounts but not able to discover the domain accounts which are added to local admin groups.Do PAM support discovery of accounts from local admin groups?Please let me know your thoughts on this.

    Regards,
    Inbaselvan R



  • 2.  RE: WIndows domain account discovery
    Best Answer

    Broadcom Employee
    Posted Mar 26, 2020 10:03 AM
    Hi Inbaselvan, No, that would be a problem. The AD accounts are managed in Active Directory, they cannot be managed from a domain member. And think of the case where a domain admin is in the Administrators group of hundreds of domain members, which is quite common. You wouldn't want PAM to have hundreds of target accounts for the same AD account, they could not stay in sync. The discovery has to be limited to local accounts.


  • 3.  RE: WIndows domain account discovery

    Posted Mar 26, 2020 12:20 PM
    So if we have a domain admin group added to local admin group of a server.Can we add this domain admin group as a target account in PAM. So that which ever user is present in the domain admin group can access the server or is there any way to simplify it.


  • 4.  RE: WIndows domain account discovery

    Broadcom Employee
    Posted Mar 26, 2020 01:32 PM
    Your latest question appears to be related to device access rather than credential management. You can import AD user groups into PAM and define policies for the group. Whoever is in the group will be able to access the servers that are defined in the policies for this user group. Which credential you use to auto-logon to the server is a different question. If you want those domain users to logon with their own credentials, you don't need to define auto-logon and just let them use their domain credentials to logon to the target servers. In general you do not want PAM to manage the password of you PAM user's domain credentials, as those are typically used for laptop/desktop logon and changed outside of PAM. If you configure auto-logon in access policies, you have to configure specific target accounts, not target account groups.


  • 5.  RE: WIndows domain account discovery

    Posted Mar 27, 2020 04:13 AM
    Thanks Ralf.