Configure Windows Remote Target Accounts

This section describes the configuration steps for Windows Remote target accounts.
capam32
This section describes the configuration steps for Windows Remote target accounts.
2
Prerequisites for Windows Remote Target Accounts
To configure Windows Remote target accounts, including Windows services, ensure that the following tasks are completed:
  • Add a device (target server) with Password Management as the device type.
    If you are adding an AWS Windows device, use the private IP address in the Address field of the account. Some features do not function properly when you use the public IP address.
  • Add a target application for the target server. This step includes associating Windows Remote with the host on which the Windows account resides. See Add a Windows Remote Target Connector.
  • If the Windows Remote target account is of Administrator account type, the account requires Administrator rights on the Windows server.
    If your target account is to be used as a service account (that is, it is to be used to rotate passwords of other target accounts), we recommend that you prevent this account from being able to login interactively. To do this, assign the following User Rights to the Windows account:
    • Deny log on locally
    • Deny log on through Remote Desktop Service
To add a Windows Remote Target account using the CLI, see Windows Remote Target Connector CLI Configuration.
Create a Windows Remote Target Account
Follow these steps:
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    . The Target Account page appears with a list of existing accounts.
  2. Select
    Add
    . The Add Target Account page appears.
  3. Select the
    Host Name
    magnifying glass to find an existing target server, filling the Host Name and
    Device Name
    .
  4. Select the
    Application Name
    magnifying glass to find an existing target application on the target server, or select 
    +
    to create a target application. Select or create a Windows Remote type of target application.
    The Windows Remote appears on the Add Target Account page.
  5. Enter the
    Account Name
    . The account name must be unique for a given target application and must be the account name that the target system uses.
  6. Select the
    Password View Policy
    for the account.
  7. Enter an initial account
    Password
    or select the Generate Credential key icon to generate a default password.
  8. On the
    Password
    tab, Select
    Discovery Allowed
    to discover accounts on the Windows remote system. Select the appropriate synchronization option:
    • Update only the Credential Manager Server: Passwords are updated only in Credential Manager. Credential Manager and target system passwords can differ.
    • Update both the Credential Manager Server and the target system: Password updates are performed both in Credential Manager and on the target system to maintain consistency.
  9. On the
    Windows Remote
    tab, select the
    Account Type
    :
    • User: If you select a regular User account, select "Use the following account to change password" for the
      Change Process
      .
    • Administrator: If you select Administrator, use either
      Change Process
      option.
  10. If you select the magnifying glass next to "Use the following account to change password" for the
    Change Process
    , a Target Account dialog appears. Select an account that is of Administrator account type from the same Windows Remote application.
  11. (Optional) If you are adding or updating an account and you do not know the existing password, select the
    Force password change
    checkbox. The existing password gets changed, even though the account is not in sync.
  12. Select
    OK
    to save.
    Your new Windows target account is added to the list of accounts on the Target Accounts page.
Discover Windows Services and Scheduled Tasks
You can use account discovery to manage credentials of multiple Windows services and scheduled tasks.
PAM
can use the target account to manage changes and updates for any services and scheduled tasks that use this account. You do not have to update the password on an individual service or scheduled task basis.
This procedure is for local Windows accounts. To discover services and scheduled tasks for Active Directory accounts, see Discover Services and Scheduled Tasks for AD Accounts.
Prerequisite
Before you run account discovery, go to the Account Discovery tab of the Windows Remote Target application. Select the discover option for services or tasks. You can select both.
Discover Services and Tasks
To discover new tasks and services on Windows remote accounts, follow these steps:
  1. Select
    Credentials
    ,
    Discovery
    .
  2. On the Scan Profiles tab, select
    Run
    for the profile of the account you want to update.
    If a profile does not exist, follow these steps:
    1. Select
      Add
      .
    2. Give the profile a
      Name
      .
    3. On the Servers tab, select the Server that is associated with the remote account.
    4. Select
      Run
      .
  3. Select the
    Discovered Accounts
    tab.
    Windows Remote accounts that have updates available display a green checkbox under the Updates Available column.
  4. Select the
    Update
    button for the Windows Remote account with updates available.
    The Update Discovered Accounts window appears. Available Services and Scheduled Tasks appear on their respective tabs.
  5. Select
    OK
    .
  6. Select
    Yes
    when you are prompted to Update Selected Accounts.
  7. To see a list of services and scheduled tasks:
    1. Select
      Credentials
      ,
      Manage Targets
      ,
      Accounts
      .
    2. Select the Services and Scheduled Tasks tabs to display the list accounts.
To remove tasks and services from a Windows Remote Target Accounts, follow these steps:
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    .
  2. Select the account that you want to modify.
  3. Select
    Update
    .
  4. Select the Services or Scheduled Tasks tab.
  5. To delete a service or task, select the
    X
    next to the entry.