You have a requirement to get a report that shows the last time the password was changed for each target account, and by which user. The built-in Credential Manager reports don't include this information.

Attached is a powershell script that demonstrates creation of a sample report in CSV format, providing the password updated and update user for each target account. For accounts without password history, these fields are set to "NULL". In the sample script the following columns are put in the report:

"Account Name","Target App Name","Target Server Name","Descriptor 1","Descriptor 2","Account Created","Password Updated","Update User"

The descriptor fields are those of the target accounts.

The script gets all target accounts, all target applications and all target servers using remote CLI commands and writes the raw data to files. The commands are submitted directly to the PAM server. It is not necessary to install the remote CLI tool, but the remote CLI needs to be enabled, see section Enable the Credential Manager CLI on documentation page Install and Set Up the Remote CLI and Java API. The raw files can be viewed to see which attributes are available for each type of object. Only minor modifications of the script would be needed to add columns to the report, such as the target application type etc.

The script asks for the PAM server address, and PAM user credentials. The PAM user must have access to all target data. It was tested successfully with powershell 5.1 against PAM 4.1.X releases using the super user, processing about 50 accounts per second once the lists of accounts, applications and servers are retrieved.

There is no command to retrieve the password history for a list of accounts. A separate getMostRecentPasswordHistory command has to be issued for each account. To improve performance the script uses the batchSequence remote CLI command to submit a batch of commands in one call and thus demonstrates the use of this special command as well.

See KB 281594 for a similar script that retrieves the password view policies for each account.

Note:  The following CLI calls being used in this script have a default page size of 10,000 records:

• searchTargetAccount
• searchTargetApplication
• searchTargetServer

If you have more than 10,000 Target Accounts, Servers or Applications, update these calls by adding a Page.Size parameter that exceeds the number of records you have.

Example:  Updating the searchTargetAccount call to use a page size of 100,000:

    $searchTAccts = "https://$pamserver/cspm/servlet/adminCLI?adminUserID=$username&adminPassword=$password&cmdName=searchTargetAccount&Page.Size=100000"