search cancel

AD user group deletion impact in PAM


Article ID: 214970


Updated On:


CA Privileged Access Manager (PAM)


1. PAM has a Access Policy tied to a AD group

2. AD group gets deleted

What happens to the policy and the account that is associated with the policy?


Applies to any PAM release as of May 2021.


User groups deleted in AD are not automatically deleted in PAM, and policies associated with the user group remain intact until they are deleted or the user group is deleted by a PAM admin. During LDAP group refresh the session logs should show messages similar to the following:

"PAM-LDAP-0007: Updating LDAP Group CN=pamtempusergroup,CN=Users,DC=rppam,DC=net failed. Connection to all configured LDAP servers failed. 0 New Users, 0 Updated Users, 0 Deleted Users, 0 Failed New Users, 0 Failed Updated Users, 0 Failed Deleted Users, 0 Users Retrieved From LDAP Directory Server"