PIM/PAMSC All:PROGRAM class does not work on Windows 2016
search cancel

PIM/PAMSC All:PROGRAM class does not work on Windows 2016


Article ID: 129665


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


User tried to test for PROGRAM class rule. But it does not work on it. And also, audit log is not recorded access event.
  setoptions class+(PROGRAM) 
  er PROGRAM ('C:\Windows\System32\notepad.exe') owner(nobody) defacc(none) blockrun- audit(a) 
  authorize PROGRAM ('C:\Windows\System32\notepad.exe') access(EXECUTE) uid('hostname\\Administrator')
The rule is affected on another server which is running on 2012 R2.


OS: Windows Server 2016
Prod: CA Privileged Access Manager r14.0 CR1 for Endpoint


I compared setting on normal and problematic server. Then I found FILE class is disabled at the problematic server.
When I check behavior with tracer's log, PROGRAM class check is triggered by FILE access.
It is not caused by difference between OS and PIM/PAMSC version.


FILE class need to enable to work PROGRAM class.