none
MIM PAM Powershell RRS feed

  • Question

  • Hi Guys,

    I would like to use the command new-pamuser from a computer in the corp domain, but the client add-ins doesn't provide this command.

    Is there a way to do this remotely?

    Best regards,

    Yannick

    Tuesday, February 2, 2016 10:14 AM

All replies

  • Hi,

    I think it is possible to open a remote PS session to your PAMServer from the CORP computer, but I would not do/allow that for security reasons.

    One important thing of the PAM scenario is the seperate PAM forest which you would have more secure than the normal forest and restrict strongly who and from where that forests can be accessed.

    So if you open remote PS management to the PAM Server I suggest to secure that by access policies and firewall rules so that only that user on that corp computer can do it.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Tuesday, February 2, 2016 10:40 AM
  • I understand your opinion but in our case, we have to manage too many administrators accounts and i prefer to create and synchronize them in AD using the synchronization engine from the corp domain.

    Especially because we synchronize the end date from their normal account and also because i don't want to go back to a manual process.

    The last issue i have is the remote PS session which doesn't work.

    Best Regards

    Yannick

    Tuesday, February 2, 2016 12:35 PM
  • Understood, could be a challange with lots of admins and adding/removing them from PAM.

    There is currently no OOB lifecycle of that PAM users.

    What about having a seperate sync engine on the PAM server, which imports the accounts from corp AD and create needed PAM user by using PowerShell MA.

    Since you already have an SQL and a Server for PAM, installing Sync Engine does not require a license, its much safer since you can restrict access to that SyncEngine and you pull data from corp and not push it.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Tuesday, February 2, 2016 12:47 PM
  • In fact, we are already managing administration profiles in the "corp" domain. Dynamic Security groups are populated with these profiles.

    I don't want anymore to create admins accounts in the corp domain.

    If we sync from AD, it means we have to manage 2 accounts per admin and we must sync an attribute to automate the candidates for the PAM profiles.

    I think it's more confortable and secure to do this directly from FIM in "corp" with only one account.

    Anyway, thank you for very constructives your remarks.

    Best Regards,

    Yannick

    Tuesday, February 2, 2016 3:41 PM