Skip to content
CA Privileged Access Manager - 3.1.1
Documentation powered by DocOps

Windows Remote Target Connector

Last update April 23, 2018

Use the Windows Remote Target Connector to manage local Windows accounts, and the passwords for local Windows services and scheduled tasks. To manage Active Directory accounts, we recommend using the Active Directory Connector. The Windows Remote Target Connector is an alternative to the Windows Proxy, but does not require installation on each target server.  

Note: Windows Remote connector might incur extra overhead during discovery and password changes for services and scheduled tasks.

This connector uses Samba commands and remote Windows API calls to make updates to the account, services, and scheduled tasks passwords. 

Note: If the guest account in the domain or on the target server is enabled, the Windows Remote connector can appear to verify the password of the target account though the account does not exist on the target server. Disable the guest account in the domain or on the target server to avoid this false password verification.

Ports

Windows Remote Connector requires these ports to be open in the firewall:

  • SMB: port 445
  • WMI: port 135 and port range from 49152 to 65535 (or 1024 through 4999)

User Access Control

If User Access Control (UAC) is enabled, and the Windows Remote administrator is a “local” admin on the target server, follow these steps. Set this registry value on the target server for the Windows Remote connector to have access to perform SMB and WMI operations there.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = dword:00000001

Group or Local Policy Network Security

The default values for Network Security on Windows systems allow Windows Remote to function. However, if certain settings are set too restrictively, Windows Remote password management fails. To ensure Windows Remote effectiveness, verify these settings in the Group or Local Policy Security Options:

  • Network security: Restrict NTLM: Incoming NTLM traffic
    Allow all, or Not Defined
  • Network security: Restrict NTLM: NTLM authentication in this domain
    Disable, Not Defined, or Deny for domain accounts

Local System Context

The Windows Remote Connector can be run in the context of local system. This scenario allows successful updates to the local accounts, services, and scheduled tasks.

To enable management of local Windows accounts and the passwords on Windows services and scheduled tasks, the Windows Remote Administrator account that is added in CA Privileged Access Manager must be a member of the Local Administrator group on the server hosting the Target Account being managed.

For information about setting up Windows Remote Connector using the UI, see Configure Windows Remote Target Accounts.

The CLI parameters are described:

Windows Remote Add Target Application CLI Parameters

Use the following more parameters when using the CLI to add a target application that uses the Windows Remote target connector.

Attribute.extensionType

Specify the type of account to use.

Required Default Value Valid Values
yes N/A windowsRemoteAgent

Attribute.accountType

The type of account being managed.

Required Default Value Valid Values
yes domain domain, local

Attribute.domainName

The Windows domain for the managed accounts.

Required Default Value Valid Values

Required if Attribute.accountType is set to domain (the default)

none Domain name (a text string)

Attribute.domain

The Windows domain for the managed accounts. This attribute exists only for backwards compatibility. We recommend using Attribute.domainName instead.

Required Default Value Valid Values

Required if Attribute.accountType is set to domain (the default)

none Domain name (a text string)

Attribute.useDNS

Determine the level to which DNS is used.

Required Default Value Valid Values

Required if Attribute.accountType is set to domain (the default)

none

One of:

  • noDNS: DNS is not used
  • retrieveDNS: Retrieve the DNS server that is used by the Credential Manager server
  • specifiedDNS: Use the DNS server that is specified by the dnsServer attribute

Attribute.dnsServer

The host names of the DNS servers to use.

Required Default Value Valid Values
Required if Attribute.useDNS is set to specifiedDNS none Comma separated list of DNS server host names.

Attribute.specifiedServersList

Provide a comma separated list of domain controllers.

Required Default Value Valid Values
Required if Attribute.useDNS is set to specifiedServers none Comma separated list of valid domain controllers.

Attribute.adSite

The Active Directory site. This parameter is only used if Attribute.useDNS is set to retrieveDNS or specifiedDNS. If a value is given, Credential Manager uses the value to narrow the search for domain controllers, using the specified name.

Required Default Value Valid Values
no none String.

Windows Remote Add Target Account CLI Parameters

Use the following parameters when using the CLI to add a target account that uses the Windows Remote target connector.

Attribute.extensionType

Specify the extension type to use.

Required Default Value Valid Values
yes N/A windowsRemoteAgent

Attribute.accountType

Specify the type of account to use.

Required Default Value Valid Values
yes user user, admin

Attribute.useOtherAccountToChangePassword

Specify whether to use the target account or a different account to perform password change requests.

Required Default Value Valid Values
yes N/A true, false

Attribute.otherAccount

Specify which other account to use to perform password change requests.

Required Default Value Valid Values
Required if Attribute.useOtherAccountToChangePassword is true. N/A

String.

A valid target account ID.

Attribute.serviceInfo

List of services.

Required Default Value Valid Values
no N/A

<empty string> no services

Add the following code for each service:

<hostname>:<servicename>:restart

–or

<hostname>:<servicename>:norestart

Multiple services are delimited by the | character.

<hostname>is the name of the server where the service is hosted.

Attribute.tasks

List of scheduled tasks.

Required Default Value Valid Values
no none

<empty string> no tasks

Add the following code for each task:

<hostname>:<taskname>

Multiple services are delimited by the | character.

<hostname>is the name of the server where the scheduled task is hosted.

Attribute.forcePasswordChange

This parameter specifies whether Credential Manager updates passwords that fail verification during an initial synchronization. The default value is false. To update passwords that fail initial synchronization, set the attribute value to true.

Required Default Value Valid Values
no false true, false

Windows Remote CLI Example

cmdName=addTargetApplication TargetServer.hostName=myhostname.mydomain.com

TargetApplication.name=myWindowsRemote TargetApplication.type=windowsRemoteAgent 

Attribute.extensionType=windowsRemoteAgent Attribute.accountType=domain Attribute.domainName=testDomain

cmdName=addTargetAccount TargetServer.hostName=myhostname.mydomain.com TargetApplication.name=myWindowsRemote

TargetAccount.userName=admin TargetAccount.password=P@ssw0rd TargetAccount.privileged=true

Attribute.extensionType=windowsRemoteAgent Attribute.accountType=admin 

Attribute.useOtherAccountToChangePassword=false Attribute.forcePasswordChange=false

Attribute.serviceInfo=HostA:serviceName:restart|HostB:ServiceName:norestart

Attribute.tasks=HostA:taskName|HostB:taskName

Was this helpful?

Please log in to post comments.