search cancel

AD user group deletion impact in PAM

book

Article ID: 214970

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

1. PAM has a Access Policy tied to a AD group

2. AD group gets deleted

What happens to the policy and the account that is associated with the policy?

Environment

Applies to any PAM release as of May 2021.

Resolution

User groups deleted in AD are not automatically deleted in PAM, and policies associated with the user group remain intact until they are deleted or the user group is deleted by a PAM admin. During LDAP group refresh the session logs should show messages similar to the following:

"PAM-LDAP-0007: Updating LDAP Group CN=pamtempusergroup,CN=Users,DC=rppam,DC=net failed. Connection to all configured LDAP servers failed. 0 New Users, 0 Updated Users, 0 Deleted Users, 0 Failed New Users, 0 Failed Updated Users, 0 Failed Deleted Users, 0 Users Retrieved From LDAP Directory Server"