User tried to test for PROGRAM class rule. But it does not work on it. And also, audit log is not recorded access event.
er PROGRAM ('C:\Windows\System32\notepad.exe') owner(nobody) defacc(none) blockrun- audit(a)
authorize PROGRAM ('C:\Windows\System32\notepad.exe') access(EXECUTE) uid('hostname\\Administrator')
The rule is affected on another server which is running on 2012 R2.
I compared setting on normal and problematic server. Then I found FILE class is disabled at the problematic server.
When I check behavior with tracer's log, PROGRAM class check is triggered by FILE access.
It is not caused by difference between OS and PIM/PAMSC version.
OS: Windows Server 2016
Prod: CA Privileged Access Manager r14.0 CR1 for Endpoint
FILE class need to enable to work PROGRAM class.