How to Easily Resynchronize Many Target Accounts

Document ID : KB000106061
Last Modified Date : 13/07/2018
Show Technical Document Details
Introduction:
In order to easily re-verify a number of Target Accounts on a target server it is necessary to create a controlling account, that has the ability to change passwords for the other accounts, and a Target Group to be used in a Job.  This article explains how to do this.
Instructions:
Configure a Target Account into PAM that has been configured on the Target Server with the ability to change the password for the other users on that Target Server.  This account will be configured to change its own password.  This account must then be configured as the account to used to change the password.  This will allow passwords for these other accounts to be changed even if the accounts are unverified.  This will work as long as the controlling account is in a verified state.

Once the controlling account exists, you need to set up the Target Group, by going to Credentials --> Manage Targets --> Target Groups.  When you click Add the window that opens gives a number of options for the accounts to be part of the group.  For example, you can specify the Server, the Application Name, the Account Access Type, and several other option.  Set these fields however you need to meet you needs.

Once the group is created you may use it in a scheduled job, by going to Credentials --> Manage Targets --> Scheduled Jobs.  When you click Add, go to the Account Details tab and select the group you just created.  For a job like this one it would also be best to select Yes for Generate Password and No for Use Same Password For All.  You also have the option to set the Job to Update All accounts in the group or only those that are not verified.  You also have the option to select only those that are verified, but that wouldn't work for this use case.  When the job completes you should see all the accounts in the group verified again.  If any are not you should check the Tomcat Log, on the Config --> Diagnostic page, assuming the Tomcat Log Level is set for Info.  If not just set it and rerun the job.

This should be enough to get you started.  If this is not enough please check the PAM Wiki:
Password Updating:  https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/configure-credential-manager-targets/add-target-accounts-and-aliases
Add Credential Manager Dynamic and Static Target Groups:  https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/add-credential-manager-roles-and-groups/add-credential-manager-dynamic-and-static-target-groups
Schedule Target Account Activities:  https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/configure-credential-manager-targets/schedule-target-account-activities

If you still need further assistance after following these steps, please open a case with CA Support.