Add and manage strong accounts

Each time an end user signs in to a Microsoft Windows machine in a protected domain, DPA creates an ephemeral user that is a privileged user on the target machine. This privileged user is created via a domain user, called a strong account, which is a member of the local administrators group on all the target machines.

Define this strong account for DPA to use when it provisions ephemeral users for your end users.

For more details, see What is a strong account?

You can choose where the strong account is stored: either vaulted in Privilege Cloud (recommended) or in the DPA service.

You can use this procedure only if you have the Privilege Cloud SaaS solution.

  1. In Privilege Cloud, add the relevant permission to the existing Safe. You can do this via the Privilege Cloud UI or via APIs. For more information, see Manage Safe members.

    • Using the Privilege Cloud UI:

      1. Go to the Safes page, select the relevant Safe, and click the Members tab.

      2. Click Add members.

      3. On the Select members page, select the DPA RDP Privilege Cloud Secrets Access role.

      4. On the Set permissions page, from the Permissions presets, select Read only.

    • Using APIs:

      Use REST APIs to add the DPA RDP Privilege Cloud Secrets Access role as a member of the Safe. For more information see Add Safe member.

  2. In DPA, go to Strong accounts > Add a strong account and select Vaulted in Privilege Cloud.

    Add a strong account dialog with fields for Safe name and account name. The call to action is "add an account".

  3. Enter the Safe and Account name and click Add an account.

    • The Safe and Account name must be for the safe selected in Privilege Cloud in step 1.

    • The Account name in Privilege Cloud is as shown on the Details tab.

      Details tab in Privilege Cloud with Account name field highlighted.

  4. Click Add an account.

  5. Click Add domains to define the domains to be added.

  6. Save each domain and click Close.

  1. In Privilege Cloud, add a new Safe. You can do this via the Privilege Cloud UI or via APIs. For more information, see Manage Safes.

    • Using the Privilege Cloud UI:

      1. On the Define Safe properties page, it is recommended that you select the CPM that will manage the Safe's password policy.

      2. On the Select members page, select only the DPA RDP Privilege Cloud Secrets Access role.

      3. On the Set permissions page, from the Permissions presets, select Read only.

    • Using APIs:

      Use REST APIs to create the new Safe and add the DPA RDP Privilege Cloud Secrets Access role as a member of the Safe. For more information see Add Safe and Add Safe member.

  2. Add an account to the Safe that you created. You can do this via the Privilege Cloud UI or via APIs:

    • Using the Privilege Cloud UI:

      1. Add the account and select the Windows system type and any Windows platform.

        • If you selected a Windows platform that utilizes dual control, you need to add an additional permission to the DPA RDP Privilege Cloud Secrets Access role:

          1. On the Safes page, select the safe you created.

          2. Click Members.

          3. For the DPA RDP Privilege Cloud Secrets Access role, select Manage permissions.

          4. In the Workflow section, select Access Safe without confirmation.

        • If you selected a platform that utilizes exclusive access, make sure you add an exception for this platform in the master policy to disable it.

        • Make sure your Windows platform is not integrated with a ticketing system.

      2. On the Store in Safe page, select the Safe that you created.

      3. On the Define account properties page:

        1. Address - it is recommended that you enter the domain name.

        2. Username - enter the strong account's username.

        3. Password/Confirm password - enter the strong account's password.

        4. Customize account name - enable this setting and enter a meaningful name for this account.

        For more information, see Add individual accounts manually.

    • Using APIs:

      Use REST APIs to add an account to the safe. For more information, see Add account.

  3. In DPA, go to Strong accounts > Add a strong account and select Vaulted in Privilege Cloud.

    Add a strong account dialog with fields for Safe name and account name. The call to action is "add an account".

  4. Enter the Safe and Account name and click Add an account.

    The Safe and Account name must be the same as those added in Privilege Cloud in steps 1 and 2.

  5. Click Add an account.

  6. Click Add domains to define the domains to be added.

  7. Save each domain and click Close.

  1. In DPA, go to Strong accounts > Add a strong account and select Stored in the DPA Service.

  2. Enter the Username, Password, and Account name.

  3. Click Add an account.

  4. Click Add domains to define the domains to be added.

  5. Save each domain and click Close.

Prepare a certificate to validate communication to the target machine

If your organization uses certificates, you can provide the CA certificate to CyberArk to further secure communication between DPA and target on-premises machines in the workspace.

The following certificate types are supported:

  • CRT

  • CER

  • PEM

  • It is strongly recommended to provide a certificate to verify the authenticity of the target on-premises machine to ensure a secure connection.

  • The certificate must not be larger than 4 KB. Certificates larger than this cannot be uploaded.