Is it possible to use a Domain Account for defining a Windows Agentless endpoint for PUPM?
Release: ACP1M005900-12.9-Privileged Identity Manager
Component: SEOSWG
Normally PUPM requires a local account on the endpoint to fully function in all aspects.
However it is possible to define the endpoint by using a Windows Domain Account instead provided this endpoint is member of this Windows Domain.
To do so please enter in the Endpoint Definition dialog the following detailsUser Login: <myDom\myDomainAccount>
<-- replace this with your actual detailsPassword: xxxxxx
Host: <myBox>
<-- use the NetBios name of your endpointHost Domain: <myDom>
<-- this is the NetBios name of your Windows DomainIs Active Directory: not checked
User Domain: <myDom>
Then you go to
Privileged Accounts / Accounts / Create Privileged AccountAccount Name: <myDomainAccount>
<-- note this is the domain account even you do not say e.g. myDom\myDomainAccountDisconnected Account: checked !!
<-- since PUPM can only handle local accounts as explained belowEndpoint Name: <myBox>
Endpoint Type: Windows Agentless
Drawback of this approach:
Since Password Change can only be done for the accounts local to the Endpoint (local SAM or AD in case of a DC) you must define the account as a Disconnected Account.
Hence it is not possible to automatically change this account password e.g. upon Checkin / CheckOut
Still you can use the automatic login to this Endpoint using Proxy_RDP or ActiveX_RDP which is in this case performed using the above defined Domain Account.
Note, even the box is defined using a Domain Account still the Discover Privileged Accounts Wizard is always only seeing accounts local to the Endpoint (local SAM or AD in case of a DC)
Please review the section Configure Windows Agentless Endpoints for SAM in the CA Privileged Identity Manager documentation