How to utilize PAM's Windows Remote Target Connector to discover local Services and Scheduled Tasks

Document ID : KB000106123
Last Modified Date : 12/07/2018
Show Technical Document Details
Introduction:
The new Windows Remote Target Connector (supported since PAM 3.1) can be used as an alternative to the Windows Proxy. The Windows Remote Target Connector functions much like the Windows Proxy, but does not require installation (agent-less) on each target server.

I have created Target Account with Windows Remote Connector as the application type, the account belongs to local Administrators group and password can be verified, but Services or Scheduled Tasks tabs are empty. How should I configure so that I can discover local Services and Scheduled Tasks on target Windows server, so I can manage the account's password used by them?
 
Environment:
PAM 3.1 or later
Windows 2008, 2012, 2016 servers
Instructions:
To be able to discover local Services or Scheduled Tasks you have to use the first Windows Remote Account to do account discovery. Once you discovered new local accounts, manage them and local Services or Scheduled Tasks belong to the accounts will be appeared on the accounts' Services and Scheduled Tasks tab.

Follow the following steps.
1. On the target Windows Server, change logon account of the Service or create Scheduled Task for the account you want to manage.
    For example, I have seng user account and I change SNMP Trap service logon account to this account.
    Local Service
   
    This account has also a scheduled task, named MySengTask.
    Local Scheduled Task

2. Create Windows Remote Target Application and select both Discover Services and Discover Tasks boxed in Account Discovery tab.
   Windows Remote Target Application
   Windows Remote Target Application - Account Discovery
   In Windows Remote tab, you can either select Local Account or Domain Account. If you select Domain Account you need to fill in additional parameter related to the Domain.
   Windows Remote Target Application - Windows Remote

3. Create the first Windows Remote Account (which has enough privilege to discover local Services and Scheduled Tasks). Check the Discovery Allowed box in Password tab and make sure Password can be verified.
   1st Windows Remote Account
   1st Windows Remote Account - Password

4. Go to Credentials > Discovery and create Scan Profile and select the target Windows server.
   Account Discovery - Scan Profile

5. Run the Scan Profile and once completed, select Discovered Account tab
   Discovered Accounts

6. Select the account who owns the local Service and Scheduled Task and click Manage button. Select Update both the Password Authority Server and the target system and key in the correct password and click OK button. When "Do you want to manage this account?" prompt appear, click Yes.
   Manage Account

7. Now open the newly created Target Account and you will see you discovered local Service in Services tab and Scheduled Task in Scheduled Tasks tab.
   Discovered Service
   Discovered Scheduled Task
 
Additional Information:
Please refer Online Documentation about Windows Remote Target Connector for more details.