It is required to report on target accounts based on whether or not PAM manages the password and whether a password is verified or unverified. How can a report be generated for unmanaged accounts, unverified managed accounts, and verified managed accounts?
Privileged Access Manager, all versions
When storing accounts in the database, PAM has two columns for the password status: synchronized and passwordverified. The synchronized column refers to whether or not the account's password is managed in PAM, while the passwordverified column states whether the password is verified.
The Accounts Credential Manager report lists all accounts and can be filtered on synchronized (managed) or unsynchronized (unmanaged), but does not report whether or not the password is verified.
The remote CLI utility can be used to report both on synchronized/managed or verified accounts by running one of the following commands.
The command to list unsynchronized/unmanaged accounts: capam_command capam=<PAM_HOST> adminUserID=<PAM_ADMIN> adminPassword=<PASSWORD> cmdName=searchTargetAccount TargetAccount.synchronize=false
The command to list synchronized/managed accounts with unverified passwords: capam_command capam=<PAM_HOST> adminUserID=<PAM_ADMIN> adminPassword=<PASSWORD> cmdName=searchTargetAccount TargetAccount.synchronize=true TargetAccount.passwordVerified=false
The command to list synchronized/managed accounts with verified passwords: capam_command capam=<PAM_HOST> adminUserID=<PAM_ADMIN> adminPassword=<PASSWORD> cmdName=searchTargetAccount TargetAccount.synchronize=true TargetAccount.passwordVerified=true
For information on how to install the Remote CLI or use the commands, please refer to the Use the Remote CLI documentation section.