Using Domain Accounts for Windows Agentless Endpoint Definition.

book

Article ID: 40100

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

Question:


Is it possible to use a Domain Account for defining a Windows Agentless endpoint for PUPM?


Answer: 


Normally PUPM requires a local account on the endpoint to fully function in all aspects.

However it is possible to define the endpoint by using a Windows Domain Account instead provided this endpoint is member of this Windows Domain.

To do so please enter in the Endpoint Definition dialog the following details

User Login:      myDom\myDomainAccount      <-- replace this with your actual details
Password:        xxxxxx
Host:            myBox                    <-- use the NetBios name of your endpoint
Host Domain:     myDom                    <-- this is the NetBios name of your Windows Domain
Is Active Directory: not checked
User Domain:     myDom


Then you go to
Privileged Accounts / Accounts / Create Privileged Account

Account Name:    myDomainAccount          <-- note this is the domain account even you do not say e.g. myDom\myDomainAccount
Disconnected Account: checked !!          <-- since PUPM can only handle local accounts as explained below
Endpoint Name:   myBox
Endpoint Type:   Windows Agentless


Drawback of this approach:
Since Password Change can only be done for the accounts local to the Endpoint (local SAM or AD in case of a DC) you must define the account as a Disconnected Account.
Hence it is not possible to automatically change this account password e.g. upon Checkin / CheckOut

Still you can use the automatic login to this Endpoint using Proxy_RDP or ActiveX_RDP which is in this case performed using the above defined Domain Account.

Note, even the box is defined using a Domain Account still the Discover Privileged Accounts Wizard is always only seeing accounts local to the Endpoint (local SAM or AD in case of a DC)


Additional Information:


Please review the section Configure Windows Agentless Endpoints for SAM in the CA Privileged Identity Manager documentation

Environment

Release: ACP1M005900-12.9-Privileged Identity Manager
Component:

Resolution

.