Symantec Privileged Access Management

  • Private Community

  • 1.  User created using Selang does not have password property set by OS

    Posted May 10, 2017 07:11 AM

    Hi team,

     

    When we create any local user by selang

    AC> eu username native password(xxxxx)

     

    it does not take the password set by OS, how can we create such users which should take the default password policy set by OS

     

    Control minder : 12.8

    Endpoint:  SuSE

     

    ITSAT

    VOLVOCARS



  • 2.  Re: User created using Selang does not have password property set by OS

    Broadcom Employee
    Posted May 10, 2017 08:48 AM

    Hello,

     

    AC is ignorant of the local OS' password policy.

     

    What you can do instead is to create another password policy in AC which is as strict or even stricter than the OS one.

     

    How this is done is explained here:

     

    https://docops.ca.com/ca-privileged-identity-manager/12-9-02/EN/administrating/endpoint-administration-for-windows/managing-user-passwords

     

    Configure Password Quality Checking

     

    Account Passwords set in selang would then match both the OS and the AC password policy.



  • 3.  Re: User created using Selang does not have password property set by OS

    Posted May 15, 2017 02:33 AM

    Hi Andreas,

    Thank you.

     

    Setting password policy in AC is good idea, but if the user changes his password with passwd command then, new password will not comply with AC policy.

    How can we meet this requirement ?

    Are you saying we need to create password policy on OS level and AC level both ?



  • 4.  Re: User created using Selang does not have password property set by OS

    Broadcom Employee
    Posted May 15, 2017 03:11 AM

    Hello,

     

    Please see our documentation

     

    https://docops.ca.com/ca-privileged-identity-manager/12-9-02/EN/implementing/sesu-and-sepass-utilities

     

    quoting here for your convenience:

    "We recommend that you use sepass instead of the operating system's passwd command and sesu instead of the su command. To do this, you need to save the original system binaries and replace them with symbolic links to sepass and sesu respectively. Once this is done, you need to make sure you can always use these utilities.”

     

    Regarding your concern - once you have PIM implemented accordingly it would basically overrule the OS Password Policy so that this would not come into effect (as long as it is equally or less strict than the PIM pwd policy).

     

    Best Regards,

    Andreas