Devolutions ForumDevolutions Forum

Powershell command to Synchronize PAM account

Resolved Implemented

Powershell command to Synchronize PAM account

avatar
Erdinger

I'm trying to automate the creation of PAM vaults and the accounts in them. It works well for the creation of the PAM Vault:

$DSUsers = Get-DSUser -All
$DSUsers = $DSUsers.Data | Select ID, name
$idUser = $DSUsers | Where-Object { $_.Name -eq $user } | Select-Object -ExpandProperty ID
$security = @()
$security = New-DSPamSecurity -Role Reader -Mode Override -UserID $idUser
New-DSPamFolder -Name $user -Security $security -AsNewvault

and the PAM account:

$VaultPAM_New = Get-DSPamFolder
$VaultPAMCreate = $VaultPAM_New.Data | Where IsPamVault -eq $true | Select name, ID
$VaultID = $VaultPAMcreate | Where-Object { $_.Name -eq $user} | Select-Object -ExpandProperty ID
New-DSPamAccount -Name $PamAccount -CredentialType DomainUser -FolderID "$VaultID" -Username $user -Password "Password" -ProviderID $ProviderID

but I cannot automate the synchronization of the PAM account created with the LDAP account created previously (with the same password), a click on check syns status in devolution server works but I can't automate it.

And is there also a powershell command allowing you to reset the password if it is not synchronized?

thx

All Comments (6)

avatar
Richard Boisvert

Hello,

It is not possible to synchronize the PAM account with a cmdlet, but you can automate a checkout and check-in request after the account is added. Once completed, the account(s) will be synchronized. You can also use the $Response if you want to validate anything else at the same time.

$Response = Invoke-DSPamCheckout -PamCredentialID '92e1d27f-6e7b-4c62-86da-a04fc22603c2'  -Verbose
$CheckoutInfo = $Response.Data.CheckoutInfo
Invoke-DSPamCheckin $CheckoutInfo


Best regards,

Richard Boisvert

avatar
Erdinger

Hello,

I think this solution works when the password is configured to be reset at check-out, unfortunately I can no longer find or enable this option.

avatar
Erdinger

Hi,

I've found the option when you import a user by the interface: "Reset password during import"
But i have created PAM account via this powershell command and i this password reset is not include i think
Here the command:

New-DSPamAccount -Name DomAcc -CredentialType DomainUser -FolderID $folderID -Username MyUsername -Password Pa$$w0rd! -ProviderID $providerID -Security $security

Thanks

avatar
Maxime Bernier

Hello,

The cmdlet Get-DSPamAccountSyncStatus should do the same as the 'Check Sync status' in the server.

A ticket will be open to allow a reset password during the creation of new accounts, as well for existing ones.

Best regards,
Maxime

avatar
Maxime Bernier

Hello,

In the latest module version, 2024.1.1, we've added the Reset-DSPamPassword cmdlet to automatically reset the password of a PAM account. Please let us know if you need further assistance.

Best regards,
Maxime

avatar
Erdinger

Hello,

Thanks for this feature.

Regards,