Devolutions ForumDevolutions Forum

Local windows provider sync account

Local windows provider sync account

0 vote

avatar
jitsersevenant

At the moment I've created my first PAM local windows provider connection.

I had to create a local user on the server and add it to the Administrator group.
Now this password is static and in theory will never change. Is it possible to add this account to a pam rotation so it is not static?

I was thinking about creating a SYNC account pam-vault specific for provider accounts so I can have a set rotation schema for these.

All Comments (4)

avatar
Maurice Côté

Hi,

I dont know if the server/workstation if joined to a domain...

If the asset is standalone, it means it is in itself and Identity Provider. You need to register it as such. Also, we need one administrative account to perform PAM capabilities (this one is static for now...). Lets call it PAM_ADMIN.

The PAM_ADMIN account is used to manage accounts on the asset, which you can discover using a SCAN configuration, then you can IMPORT it so it becomes managed, thereby being subject to rotation.

Is this how you had started?

Maurice

avatar
jitsersevenant
Hi,

I dont know if the server/workstation if joined to a domain...

If the asset is standalone, it means it is in itself and Identity Provider. You need to register it as such. Also, we need one administrative account to perform PAM capabilities (this one is static for now...). Lets call it PAM_ADMIN.

The PAM_ADMIN account is used to manage accounts on the asset, which you can discover using a SCAN configuration, then you can IMPORT it so it becomes managed, thereby being subject to rotation.

Is this how you had started?


Your scenario is how I would want to configure it. At the moment I assumed when I imported the PAM_ADMIN account and used rotation, I would brake the account link.

avatar
Maurice Côté

right, the PAM_ADMIN account is stored in another fashion and cannot be listed in the account list that is MANAGED by the provider. You should remove it from the account list and define it on the provider.

For workstations joined to a domain, we would use a domain account as the PAM_ADMIN. We are working on improving that workflow in order to greatly reduce management time of domain joined servers.

Would you like a quick call with our support team to guide your through it? I do not know their availabilities but it might act as a good primer.

Best regards.

Maurice

avatar
jitsersevenant

Oh for context: we are talking about local windows and NOT domain joined computers.
At the moment everything is working. But I have the option to import the local PAM_ADMIN account just as any other account from that windows machine.

I'll just try it tomorrow and let you know.