New Active Directory Accounts Are Not Being Discovered by PAM
Article ID: 370213
Updated On:
Products
Issue/Introduction
PAM has been managing Active Directory accounts DemoUser01, DemoUser02, and DemoUser03 for some time now. DemoUser04 and DemoUser05 were added to Active Directory recently, but the discovery job in PAM is not listing them.
When the discovery job runs, it lists that 2 new accounts were discovered.
However, the Discovered Accounts only lists the target accounts which are already managed.
On the Domain Controller, all 5 users can be seen.
Environment
Privileged Access Manager, all versions
Cause
When the account discovery job runs in Active Directory, PAM uses the short name of the userPrincipalName for the target account name. In Active Directory, accounts are listed by their displayName value.
In this case, the distinguishedName and displayName values for the new accounts correctly said DemoUser04/DemoUser05, but the userPrincipalName values were incorrectly set to DemoAdmin04/DemoAdmin05.
Resolution
In this case, the userPrincipalName values were corrected in Active Directory to match the displayName and distinguishedName values. When the discovery job was run again, PAM now listed the discovered accounts as DemoUser04 and DemoUser05.
If there is a business need to have the displayName and userPrincipalName values be different, searching for the userPrincipalName (in this case "DemoAdmin*") on the Discovered Accounts page will show the accounts were discovered in PAM.
Feedback
