Windows Remote UAC Setting in a Group Policy Workaround
Article ID: 118437
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
PAM Admin would like to know how to set the GPO Option for our UAC Policy for Windows Remote:
If User Access Control is enabled on the target server, and the administrator account for password management is a local administrator, set this registry value. This registry setting gives the Windows Remote Connector access to perform SMB and WMI operations on the target server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = dword:00000001
If User Access Control is enabled on the target server, and the administrator account for password management is a local administrator, set this registry value. This registry setting gives the Windows Remote Connector access to perform SMB and WMI operations on the target server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = dword:00000001
Environment
PAM 3.x
Resolution
LocalAccountTokenFilterPolicy can not be set through an explicit configuration option within the Group Policy Management Editor. Instead it needs to be set through the definition of a custom registry key property. Within the Group Policy Management Editor this can be done at the following location:
- gpmc.msc
- Create an Organizational Unit called "PAM Windows Remote Servers"
- Add all PAM Windows Remote Servers to this list
- Right Click on this new Organizational Unit
- Select "Create a GPO in this domain, and Link it here"
- Give the GPO a "NAME" (IE: PAM WMI Registry Settings GPO)
- Select this newly create GPO
- Right click on it and select "Edit"
- Under Computer Configuration >> Preferences >> Windows Settings
- Right Click Registry >> New >> Registry Item:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value Name: LocalAccountTokenFilterPolicy
Value Type: REG_DWORD
Value Data: 1
Example:
You will also need to ensure the security policy is not restricting "Minimum password age" if you will be setting "Account can change own password" as the Windows Password Policy will be in effect prohibiting multiple password rotation in a day.
If the Windows Server is a standalone(not joining AD domain) then you can modify the local security policy but if it joins a domain then you will need to modify this from GPO at the domain controller.
If you select "Use the following account to force change password" and choose another admin account then the password can be rotated multiple times a day even if the "Minimum password age" is set to 1.Feedback
Yes
No
Powered by
