Add and manage strong accounts

Each time an end user signs in to a Microsoft Windows machine in a protected domain, DPA creates an ephemeral user that is a privileged user on the target machine. This privileged user is created via a domain user, called a strong account, which is a member of the local administrators group on all the target machines.

Define this strong account for DPA to use when it provisions ephemeral users for your end users.

For more details, see What is a strong account?

You can choose where the strong account is stored: either vaulted in Privilege Cloud (recommended) or in the DPA service.

Prepare a certificate to validate communication to the target machine

If your organization uses certificates, you can provide the CA certificate to CyberArk to further secure communication between DPA and target on-premises machines in the workspace.

The following certificate types are supported:

  • CRT

  • CER
  • PEM

  • It is strongly recommended to provide a certificate to verify the authenticity of the target on-premises machine to ensure a secure connection.

  • The certificate must not be larger than 4 KB. Certificates larger than this cannot be uploaded.