PAM Client only starts as Administrator

book

Article ID: 185943

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

What is the reason CA PAM Client only runs on Windows when launched as Administrator? What can be done to avoid this so that unprivileged users can run the PAM Client?

Cause

User Account Control (UAC) in current Windows versions blocks PAM Client's access to resources like

%ProgramFiles%
%ProgramFiles(x86)%
%WinDir%
%WinDir%\System32
HKEY_LOCAL_MACHINE\Software

when the process is launched by a non-Administrative users - event the user might have explicit permissions.

Environment

Release : 3.3.x and PAM 3.4.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

To overcome this issue set the CAPAMClient.exe properties Compatibility Mode for all users to "Windows 8, Windows 7 or any other version"




Now the user is prompted by UAC if the operation is permitted even when launched by an unprivileged user.

Additional Information

Some other workarounds:

- Don't install the PAM Client to Program Files.  By default we try to install the CA PAM Client to \users\<userid>\CA PAM Client - if you install it to this location that UAC doesn't prevent our application

- You can go into the properties of our executable and click "Change settings for all users" -> than click "Run this program as an administrator" 

Attachments