Is it possible for PAM to validate if an AD/LDAP target account created in the past still exists? Can PAM automatically delete accounts that no longer exist in the credential source?

Applies to any PAM release as of March 2023.

PAM does not have a built-in feature to look for existance of a target account in the credential source. The only workflows used are password verification and update, with an account going to Unverified if the workflow fails for any reason. From a PAM perspective the best option at this time would be to run a Verify job on all accounts from a given credential source, get the list of accounts that are Unverified afterwards, e.g. using the Rest API resource "GET /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}/targetAccounts", and use an external tool to determine which of those no longer exist. Rest API resource "DELETE /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}/targetAccounts/{accountId}" can be used to delete such accounts. The account ID is returned in the GET call.

If the credential source allows custom workflows on account deletion, an alternative would be to integrate Rest API calls into PAM in the Delete workflow and delete the associated target account if found.

Product enhancement requests can be submitted on the Ideas page.