Target Account Name Impact on Active Directory Password Rotation
search cancel

Target Account Name Impact on Active Directory Password Rotation

book

Article ID: 263552

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

A third-party software uses the PAM API to get an Active Directory target account name. However, the account name comes back at "targetaccount" rather than "[email protected]", which causes issues with the third party software. If the target account name was updated to be "[email protected]", would it have an impact on PAM's ability to rotate the password?

Environment

Privileged Access Manager, all versions as of April 2023

Resolution

When PAM rotates an Active Directory account's password, it used the Distinguished Name to make the LDAP connection. If the target account name is changed and the Distinguished Name still matches the user in Active Directory, then PAM will still be able to rotate the account's password in Active Directory. However, if there is an access policy associated with the target account, the RDP auto-connect will stop working. As such, this change can only be done for AD target accounts without access policies.