Target Account Name Impact on Active Directory Password Rotation
Article ID: 263552
Updated On:
Products
Issue/Introduction
A third-party software uses the PAM API to get an Active Directory target account name. However, the account name comes back at "targetaccount" rather than "[email protected]", which causes issues with the third party software. If the target account name was updated to be "[email protected]", would it have an impact on PAM's ability to rotate the password?
Environment
Privileged Access Manager, all versions as of April 2023
Resolution
When PAM rotates an Active Directory account's password, it used the Distinguished Name to make the LDAP connection. If the target account name is changed and the Distinguished Name still matches the user in Active Directory, then PAM will still be able to rotate the account's password in Active Directory. However, if there is an access policy associated with the target account, the RDP auto-connect will stop working. As such, this change can only be done for AD target accounts without access policies.
Feedback
