Using Domain Accounts for Windows Agentless Endpoint Definition.
search cancel

Using Domain Accounts for Windows Agentless Endpoint Definition.


Article ID: 40100


Updated On:


CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC)


Is it possible to use a Domain Account for defining a Windows Agentless endpoint for PUPM?


Release: ACP1M005900-12.9-Privileged Identity Manager
Component: SEOSWG


Normally PUPM requires a local account on the endpoint to fully function in all aspects.

However it is possible to define the endpoint by using a Windows Domain Account instead provided this endpoint is member of this Windows Domain.

To do so please enter in the Endpoint Definition dialog the following details

User Login:      <myDom\myDomainAccount>      <-- replace this with your actual details
Password:        xxxxxx
Host:            <myBox>                    <-- use the NetBios name of your endpoint
Host Domain:     <myDom>                    <-- this is the NetBios name of your Windows Domain
Is Active Directory: not checked
User Domain:     <myDom>

Then you go to
Privileged Accounts / Accounts / Create Privileged Account

Account Name:    <myDomainAccount>          <-- note this is the domain account even you do not say e.g. myDom\myDomainAccount
Disconnected Account: checked !!          <-- since PUPM can only handle local accounts as explained below
Endpoint Name:   <myBox>
Endpoint Type:   Windows Agentless

Drawback of this approach:
Since Password Change can only be done for the accounts local to the Endpoint (local SAM or AD in case of a DC) you must define the account as a Disconnected Account.
Hence it is not possible to automatically change this account password e.g. upon Checkin / CheckOut

Still you can use the automatic login to this Endpoint using Proxy_RDP or ActiveX_RDP which is in this case performed using the above defined Domain Account.

Note, even the box is defined using a Domain Account still the Discover Privileged Accounts Wizard is always only seeing accounts local to the Endpoint (local SAM or AD in case of a DC)

Additional Information

Please review the section Configure Windows Agentless Endpoints for SAM in the CA Privileged Identity Manager documentation