search cancel

Local account not adding in PAM

book

Article ID: 228864

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

An target account is defined with Application type Windows Proxy.

In the "Windows Proxy" configuration tab for the target account definition, the option to "Use the following account to change the password" is selected and an account with administrative privileges, defined for the same Windows Proxy application type is specified.

The goal is to have a service account to change or rotate the passwords of the unprivileged local accounts residing in the machine running Windows Proxy

However, on saving the target account, it fails to save and to update the password at the target server.

Cause

By default and unless specified PAM will try to save/synchronized the account created with whatever password has been typed in the password field under Account, or whatever password has been generated in the same section of the Target Account definition.

It will not try to use the Windows Proxy application to force the password change if the password specified in that field does not match the real password of the target account at the target server, unless the option to "Force password change" is selected in the Windows Proxy section of the Target Account definition

Environment

CA PAM all versions

Resolution

Make sure that the Force passsword change checkbox

is selected in the Windows Proxy section whenever defining the target account to be managed through another account.

 

Attachments