Skip to main content

If the domain managed system is onboarded in PAM and the local accounts is mapped with the domain managed system then which functional account will be used to domain or local functional account? does it need any additional permission on managed system?

The functional account used to change local accounts will be the one specified on the managed system.

Even if the functional account is an AD account, it will be able to change the local password. 

The functional account is set either manually or via Smart Rule.

The functional account must have the local right to change a password, so either be in local admins or have user rights assigned via gpo etc..

 

 

Hello @Gayatri B

Please take a look at this Article: KB0016828 | Password Safe Functional Account Recommended Permissions

The article provides the recommended permissions for any functional accounts that we have guidance on. If the article doesn’t answer your questions, please let us know and we can continue working with you.

Best,

@CalebG Thanks ! It is helpful

Hi @CalebG

If I am using Domain functional account to managed the local account on managed system/server, does the domain functional account require any specific permission on the server to managed the local account?

Hello @Gayatri B,

 It would need to have the permissions locally to manage that account (so it would need to be a local Admin I believe, or at least have the minimum permissions you need it to, to accomplish what you want).

HI @CalebG,

As per the KB article KB0020472 and KB0016828, below are the permissions are required for domain functional account. Could you please help us to elaborate more on the permissions below, why we required this specific permissions and for what purpose. 

  1. Reset Password
  2. Read and write account restrictions
  3. Read lockoutTime
  4. Write lockOutTime
  5. Change Password
  6. Read userAccountControl and Write userAccountControl

Thanks in Advanced!!

Read userAccountControl and Write userAccountControl is only needed if you are using Disabled at rest Managed Accounts. The FA need these permissions to disable and enable the account in AD.

 

The FA is used to login and change the password of the managed account that is why  Change password permissions is needed.

 

The read write lockout time is needed to see if the account is locked out and to reset password

 

Here are a few resources for you that may be a help:

How to delegate and validate permissions in Active Directory for the Functional Account KB0020472


If you are receiving access denied for local windows account password changes refer to this article:

Access Denied is due to token filtering preventing remote login with local administrator accounts. Please review KB0016964.

 

Explanation of automatic password change and account settings options  KB0019450.

 

This article will describe the key differences that sets local functional account (FA) behavior apart from directory functional accounts (which are much simpler as they operate from a single credential set). KB0018084.

 

Hope this information helps.

Gloria

 

Thank you @GloriaB ! It is really helpful for better understanding.

Reply


Badge Earners

  • BCIE: Privileged Remote Access
    Bruceyhas earned the badge BCIE: Privileged Remote Access
  • BCIE: Remote Support
    Bruceyhas earned the badge BCIE: Remote Support
  • BCA: Privileged Remote Access
    linehas earned the badge BCA: Privileged Remote Access
  • BCA: Password Safe
    linehas earned the badge BCA: Password Safe
  • BCA: Password Safe
    MedBouhas earned the badge BCA: Password Safe
Show all badges
Terms & ConditionsCookie settings