Symantec Privileged Access Management

Expand all | Collapse all

Domain Account Password Management

  • 1.  Domain Account Password Management

    Posted Jun 15, 2017 05:02 PM

    Is it possible to configure PAM to allow CAC authenticated domain users to retrieve password of a Domain Admin account? Our Service Desk contacts the SysOps department on a daily basis to remove their CAC enforcement option in AD to allow them to logon to a new computer in order to join it to the domain. We were thinking about creating a Domain Account and allow Service Desk to login to PAM, retrieve that Domain Admin account credentials, use those credentials to join the machine to the domain and then check the password back in. We also want the password to be changed on view (CPOV).



  • 2.  Re: Domain Account Password Management

    Broadcom Employee
    Posted Jun 15, 2017 05:58 PM

    Hi Bashir, You can do this if you use a Windows Domain Service or Windows Proxy target application to manage the domain admin account in CA PAM. You can create a user group for the Service Desk operators and define a policy for the group that allows them to view the password. The target account can be configured with a Password View Policy (PVP) that includes the "Change Password on View” option.



  • 3.  Re: Domain Account Password Management
    Best Answer

    Posted Jun 16, 2017 11:24 AM

    The one thing I will add to what Ralf wrote is that you will need to specify the AD Device as the Credential Source for that group.



  • 4.  Re: Domain Account Password Management

    Broadcom Employee
    Posted Jun 16, 2017 11:42 AM

    Not quite. I was talking about a user group. Credential sources are configured for device groups, not user groups. My understanding was that the user group needs to be able to view the password of the domain admin rather than having the ability to use that target account for auto-login to a group of devices. Ed's comment relates to the latter user case.



  • 5.  Re: Domain Account Password Management

    Posted Jun 21, 2017 02:18 PM

    Ralf, you're correct with your assumption that the user group needs to be able to view the password of the domain admin. We don't use the auto-login feature.

    That being said, I tried to create a policy for the user group but get prompted to select a Device. What am I doing wrong?



  • 6.  Re: Domain Account Password Management

    Broadcom Employee
    Posted Jun 21, 2017 02:25 PM

    Hi Bashir, every target account in CA PAM is associated with a target application, which in turn is associated with a device. The policy would have to be between the user group and the device to which the target account in question belongs.



  • 7.  Re: Domain Account Password Management

    Posted Jun 26, 2017 03:18 PM

    Hi Ralf, I created a target account and associated it to a device which is a Domain Controller and successfully verified password by updating both the password authority server and the target. For the account details I selected the "use credentials from the following account" and selected Xsuite SVC account. For the Distinguished Name I manually entered "CN=EP_BCK_DA_01,OU=PAM Managed Backup Accounts,OU=Service Accounts,OU=Administrative,DC=internal,DC=dss,DC=mil". Next I created a policy. User (Group)=Domain Admins and Device (Group)=Domain Controller. It all seemed to work but when I logged off the super user and logged in with my Domain Admin account, I didn't see the account.

    Keep in mind the EP_BCK_DA-01 account is a new account I created just last week. Does that account need to be imported from AD or is PAM already integrated with AD and automatically pulls it from AD? I'm not sure about that part and think that's where my problem may be.



  • 8.  Re: Domain Account Password Management

    Broadcom Employee
    Posted Jun 26, 2017 03:37 PM

    Hi Bashir, do you have view of this target account password configured in the policy? This has to be done explicitly. My understanding is that you want this account only for password management in PAM, not for user access. In that case there is no need to import this account on the access side, the target account configuration you have is sufficient. You just have to make sure that you enable password view for this account in the device-user group policy and make sure that the user group is allowed to view passwords in general. A user group with a Standard User role and no specific PM role assigned to it would have this permission.



  • 9.  Re: Domain Account Password Management

    Posted Jun 27, 2017 10:19 AM

    Ralf, If you're talking about the "Password" section in the policy right below "Services" and directly above "OOB & Power" fields, then yes I do have it set. There was an "ADD" option that I clicked, selected the host which showed the account but it's still not displaying when I log in with my Admin account.



  • 10.  Re: Domain Account Password Management

    Broadcom Employee
    Posted Jun 27, 2017 11:17 AM

    Hi Bashir, There must be something simple that we are missing that would be obvious in a remote session. Please open a support case and someone will help you with it.



  • 11.  Re: Domain Account Password Management

    Posted Jul 05, 2017 04:23 PM

    Ralf and Ed, I appreciate your inputs on this matter. With your recommendations, I was able to achieve the goal.

    What helped me was "every target account in CA PAM is associated with a target application, which in turn is associated with a device. The policy would have to be between the user group and the device to which the target account in question belongs". I specified a Domain Controller as the target device and target application. Hope this helps others with similar issues.



  • 12.  Re: Domain Account Password Management

    Posted Jun 16, 2017 02:34 PM

    Thanks for the quick reply Ralf. I'll explore this route and comment back if I run into anything that can help others obtain the same goal.