Adding Direct RDP resource pool

We are moving our PAM 4.2 environment from Command Control rules to Access Control. How do I create a resource pool for Direct RDP sessions? When I create a new resource pool, I select "Windows Agents" as the type and then add the host to the list of resources. However, the drop-down for "Default Credential" is empty. In Credential Vault, for this host, we have one credential for the local Administrator.

Tags:

Top Replies

  • HI ,

    The Windows Agent should be linked with a Resource in Credential Vault, so that the Credentials under that Resource are used for that Agent.

    Please refer to this section in the documentation…

  • Verified Answer

    HI ,

    The Windows Agent should be linked with a Resource in Credential Vault, so that the Credentials under that Resource are used for that Agent.

    Please refer to this section in the documentation - https://www.netiq.com/documentation/privileged-account-manager-42/npam_admin/data/t4dyttmbta63.html#t4e6sop0sk94


    Default Credential#

    A credential with least privileges, should be selected as a Default Credential, for each resource added in a Resource Pool. This would help organizations in implementing the least privilege model as per the security recommendations and also minimizes the effort required to select a Credential while creating the access permissions.

    Windows Agents

    To create permissions in Access Control, each Windows Agent must be linked with a Credential Vault Resource, where the Credentials are stored for single sign-on purposes for respective Agents. To link a Windows Agent with a Credential Vault follow the procedure:

    1. Go to Hosts select Windows Agent.

    2. Click Modify Host and select a value for the Vault.

    3. Click Finish.

      You can link the following two types of Windows Agents:

      • Active Directory type Credential Vaults can be used for linking, if the Windows Agent is connected to an Active Directory Domain and to reference only Active Directory accounts in the Agent.

      • Windows Hosts type Credential Vaults can be used for linking, if the Windows Agent is a stand-alone Windows Host or a Windows Agent which is part of a Domain but also has Local Accounts. To reference both the Local Accounts and Active Directory accounts in the Agent, the Windows Host type vault in Credential Vault should be linked to an Active Directory domain.


    Thanks,

    Rajesh Nagella

  • Thank you. This worked. Is there a way to automate adding the host to a Vault entry when the agent is installed on the host? I don't see an option in "regclnt register" in the Admin documentation and I've looked through the REST API and all I see is /registry/HostStatus which is a GET, not PUT/POST.