We can summarize the end user interaction in four steps, as follows:
If the PAM component removes group membership in the management domain, what does the PAM monitor service provide? The PAM monitor watches the account state as well as five Active Directory attributes. For the state, the PAM monitor checks to see whether the account is disabled, locked, or deleted and will synchronize the states with their corresponding PRIV accounts:
ACCOUNTDISABLE
flag of userAccountControl
, which specifies whether the account is enabled or disabledLOCK_OUT
flag of ms-DS-User-Account-Control-Computed
, which specifies whether the account is locked out.The PAM monitor additionally synchronizes the sAMAccountName
, domain
, phoneNumber
, and mail
attributes.
If TFCJIngalls
has a PAM user account named PRIVPriv.JIngalls
, when the TFCJIngalls
Active Directory account is disabled, the PAM monitor service account will disable PRIVPriv.JIngalls
. The same applies when the TFC account is locked out or if one of the attributes listed before changes. Further, if the TFCJingalls
account is deleted, PRIVJingalls
will be deleted:
The expiration of the
access elevation does not use temporal resources, as in the MIM portal. For Windows 2012 R2 deployments, PAM request expiration is handled by a new component called the PAM component service. The Windows 2016 server has built-in mechanisms to handle request expiration. In our example, we will use PowerShell to do this, although a custom client could be used to handle PAM requests and approvals too. Also, note that the PAM clients and the PAM REST API talk directly to the MIM service. The PAM clients could be in the privileged forest or in the corporate forest(s) as long as the clients can communicate to the MIM service (ports 5725
and 5726
), which exists in the privileged forest.
18.118.140.108