PAM Client only starts as Administrator
Article ID: 185943
Updated On:
Products
CA Privileged Access Manager (PAM)
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager - Server Control (PAMSC)
Issue/Introduction
What is the reason CA PAM Client only runs on Windows when launched as Administrator? What can be done to avoid this so that unprivileged users can run the PAM Client?
Environment
Release : Any CA PAM client as of October 2023
Component : PRIVILEGED ACCESS MANAGEMENT
Cause
User Account Control (UAC) in current Windows versions blocks PAM Client's access to resources like
%ProgramFiles%
%ProgramFiles(x86)%
%WinDir%
%WinDir%\System32
HKEY_LOCAL_MACHINE\Software
when the process is launched by a non-Administrative users - event the user might have explicit permissions.
%ProgramFiles%
%ProgramFiles(x86)%
%WinDir%
%WinDir%\System32
HKEY_LOCAL_MACHINE\Software
when the process is launched by a non-Administrative users - event the user might have explicit permissions.
Resolution
To overcome this issue set the CAPAMClient.exe properties Compatibility Mode for all users to "Windows 8, Windows 7 or any other version"
Now the user is prompted by UAC if the operation is permitted even when launched by an unprivileged user.
Now the user is prompted by UAC if the operation is permitted even when launched by an unprivileged user.
Additional Information
Some other workarounds:
- Don't install the PAM Client to Program Files. By default we try to install the CA PAM Client to \users\<userid>\CA PAM Client - if you install it to this location that UAC doesn't prevent our application
- You can go into the properties of our executable and click "Change settings for all users" -> than click "Run this program as an administrator"
Feedback
Yes
No
Powered by
