PSMConnect and PSMAdminConnect Domain Users

This topic describes how to move the PSM application users from local users to domain users.

Overview

During PSM installation, the following users are created in the PSM environment on the PSM machine:

User	Description
PSMConnect	Starts PSM sessions on the PSM machine.
PSMAdminConnect	Monitors live privileged sessions.

We strongly recommend that the PSMConnect and PSMAdminConnect users be managed by CPM

After PSM is installed you can move these users to the domain level.

In some cases the PSM application users cannot remain local users and must be domain users.

When must I move the PSM application users to the domain level?

If you installed PSM on a Windows 2019 machine and:

You are working with a RDS CAL per-user license.

And
You want to extend PSM sessions beyond one hour.

Create the PSMConnect and PSMAdminConnect users in your domain

Create two users in your domain for replacing the local PSMConnect and PSMAdminConnect users.

To support password rotation by the CPM, the User logon name (pre-Windows 2000) setting must contain fewer than 20 characters.

Make sure that the new domain users both belong to the built-in group called Remote Desktop Users. This enables them to log on to the PSM machine.

Make sure that the PSM server machine belongs to the domain where the new users are listed.

Modify the domain users in Active Directory

Modify the Active Directory settings for the PSMConnect and PSMAdminConnect domain users that you created.

In the domain controller, display the Properties window for the PSMConnect domain user.

In the Environment tab, do the following:

Property	Description
Start the following program at logon	Select this check box.
Program file name	In Program file name, enter the full path of the PSMInitSession.exe. The default full path is: C:\Program Files (x86)\CyberArk\PSM\Components\PSMInitSession.exe
Start in	Enter the path where the PSMInitSession.exe will be run. The default location is: C:\Program Files (x86)\CyberArk\PSM\Components
Client devices	Clear all check boxes.

In the Remote Control tab, do the following:

Property	Description
Enable remote control	Select this check box.
Require user’s permission	Clear this check box.
Level of Control	Select an option to determine whether other users can monitor or control the PSMConnect domain user’s sessions: View the user's session: Enables live monitoring of PSM sessions. Interact with the session: Enables live monitoring and taking over PSM sessions.

Property

Description

Enable remote control

Select this check box.

Require user’s permission

Clear this check box.

Level of Control

Select an option to determine whether other users can monitor or control the PSMConnect domain user’s sessions:

View the user's session: Enables live monitoring of PSM sessions.
Interact with the session: Enables live monitoring and taking over PSM sessions.

In the Account tab, do the following:
1. Click Log On To to limit the PSMConnect domain user to only log in to PSM servers.
  
  On the Logon Workstations page, select The following computers, then click Add, to add the PSM machine.
2. In the Accounts options section, select Password never expires.
3. Due to the sensitivity of the PSMConnect and PSMAdminConnect credentials, CyberArk strongly recommends, as a security best practice, that their credentials be managed by the CPM. Associate a reconcile account with the platform to ensure successful password rotation. For details, see Advanced PSM Implementations.

In the Sessions tab, do the following:

Property	Description
End a disconnected session	Select 1 minute.
Active session limit	Select Never. Note: You can configure the maximum PSM session duration in PSM configuration in the PVWA.
Disconnect from session	Select this option.
From originating client only	Select this option.

In the domain controller, display the Properties window for the PSMAdminConnect domain user.

In the Environment tab, do the following:

Property	Description
Start the following program at logon:	Select this option.
Program file name	Enter the full path of the PSMInitSession.exe. The default full path is: C:\Program Files (x86)\CyberArk\PSM\Components\PSMInitSession.exe
Start in	Enter the folder where you want to run PSMInitSession.exe. The default location is: C:\Program Files (x86)\CyberArk\PSM\Components
Client devices	Clear all check boxes.

In the Remote Control tab, do the following:

Property	Description
Enable remote control	Select this check box.
Require user’s permission	Clear this check box.
Level of Control	Select the option to determine whether or not other users will be able to monitor or control the PSMConnect domain user’s sessions: View the user's session: enables live monitoring of PSM sessions. Interact with the session: enables live monitoring and taking over PSM sessions.

Property

Description

Enable remote control

Select this check box.

Require user’s permission

Clear this check box.

Level of Control

Select the option to determine whether or not other users will be able to monitor or control the PSMConnect domain user’s sessions:

View the user's session: enables live monitoring of PSM sessions.
Interact with the session: enables live monitoring and taking over PSM sessions.

In the Account tab, do the following:

Click Log On To.

On the Logon Workstations window, select The following computers, click Add to add the PSM machine, and then click OK.

Select Password never expires.

Due to the sensitivity of the PSMConnect and PSMAdminConnect credentials, CyberArk strongly recommends, as a security best practice, that their credentials be managed by the CPM. Associate a reconcile account with the platform to ensure successful password rotation. For details, see Advanced PSM Implementations.

Harden the Active Directory settings for the new domain users (optional)

We recommend that you follow these best practices for limiting domain users and enhancing their security level.

Create Windows Domain accounts in the PVWA

Log on to the PVWA with your PAS admin credentials.

Step 1: Create a dedicated platform for the app users

Duplicate the Windows Domain platform, as described in Add a new platform (duplicate) and give it a meaningful name. For example, WIN-DOM-PSMADMIN-ACCOUNT.

Step 2: Disable the PSM connectors for the platform (optional)

This step is a security best practice.

Open the platform that you have just created for editing, as described in Edit a platform.

In the left pane, expand UI & Workflows > Connection Components, and change Enabled to No for all the PSM connectors.

Step 3: Create accounts and associate with platform

Create an account for each app user, as described in Add an account in V10 Interface. When you create the account, do the following:

Select the platform you created in Create a dedicated platform for the app users.
Select the PSM Safe.
When you enter the account properties, under Additional properties, in the Log On To field, enter the NETBIOS name of the domain.

For example, a domain whose full name is mycompany.com might have the NETBIOS name mycompany_dom, which you would specify in this property.

Step 4: Assign a CPM to the PSM Safe

Open the PSM Safe for editing, as described in Manage Safes. From the Assign to CPM list, select the CPM that will manage the passwords for the accounts.

Configure PSM to use the new domain accounts

Replace the local accounts defined in the PSM settings with the new domain accounts via the PVWA.

To configure the PSM server to use the new domain accounts:

In the PVWA, click Administration > Configuration Options, and then click Options.
In the left pane, go to Configurations > Privileged Session Management > Configured PSM Servers > {Server Name} > Connection Details.
Under Connection Details, for each PSM server defined, edit the following properties:

Property	Description
Object	Enter the object name of the PSMConnect account, as defined in the Name field in the Account Details page in the PVWA.
AdminObject	Enter the object name of the PSMAdminConnect account, as defined in the Name field in the Account Details page in the PVWA.

If you are integrated with Remote Access, update the TS Gateway with the same corresponding Object value.

Edit the basic_psm.ini file

On the PSM server, open the basic_psm.ini file, located by default in:

C:\Program Files (x86)\Cyberark\PSM
Update PSMServerAdminId with the object name of the PSMAdminConnect account, as defined in the Name field in the Account Details page in the PVWA.
Restart the PSM service.

Edit and run the PSM hardening and Applocker scripts

Step 1: Edit the PSM hardening script

Open the PSMHardening.ps1 file for editing (remove read-only permissions if required). By default, it is located in:

C:\Program Files (x86)\Cyberark\PSM\Hardening

Edit the following parameters in the file:

Parameter	Description
$PSM_CONNECT_USER	Replace the local computer name (see $COMPUTER highlighted in the image below) with the domain.
$PSM_ADMIN_CONNECT_USER	Replace the local computer name (see $COMPUTER highlighted in the image below) with the domain.

Step 2: Edit the PSM AppLocker script

Open the PSMConfigureAppLocker.ps1 file for editing. By default, it is located in:

C:\Program Files (x86)\CyberArk\PSM\Hardening

Edit the following parameters in the file:

Parameter	Description
$PSM_CONNECT	Replace the local computer name (see $COMPUTER highlighted in the image below) with the domain.
$PSM_ADMIN_CONNECT	Replace the local computer name (see $COMPUTER highlighted in the image below) with the domain.

Step 3: Run the scripts

Open an elevated PowerShell window and run the following commands:

./PSMHardening.ps1

./PSMConfigureAppLocker.ps1

Step 4: Restart the PSM server

Make sure that you can authenticate to the PVWA.

Step 5: Update the PSM server security group

In the PSM local security group (Computer Management>System Tools>Local Users and Groups>Groups and open Remote Desktop Users Properties), ensure that Remote Desktop Users contains the new PSM Domain Accounts :

DOMAIN\PSMAdminConnect

DOMAIN\PSMConnect

If not, add them locally.

Add applicable accounts to the PSM GPO object

Update the PSM Hardening Group Policy.

If Domain GPOs are not applied, edit the Local Group Policy.

To edit the GPO object:

In the Group Policy Management Console, under Group Policy Objects, right-click the newly created GPO and click Edit.

Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

Double click Allow log on through Remote Desktop Services.
- If the PSMConnect and PSMAdminConnect users are domain users, add the users with a <Domain> prefix.
- If the PSMConnect and PSMAdminConnect users were renamed, add the renamed users.

To ensure that unauthorized users do not gain access to the PSM server, make sure that this setting is only allowed for PSMConnect and PSMAdminConnect users and for maintenance users who are required to log on remotely to the PSM server.

Enable local administrators to customize permissions

Adjust the PSM hardening policy to enable local administrators to customize permissions.

To update the PSM hardening policy:

In the Group Policy Management Console, under Group Policy Objects, right-click the PSM hardening GPO and click Edit.
Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Do not allow local administrators to customize permissions and set the value to Not configured.
In the Registry, check for the following registry key and delete it after updating the GPO.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services --> fWritableTSCCPermTab

Configure the Remote Desktop Session on the PSM server

Adjust the permissions of the PSMAdminConnect domain user so that it can monitor and control the PSMConnect domain user.

To configure the RDS:

From a command line, run the wmic tool to connect to the PSM server.

Add the DOMAIN\PSMAdminConnect object to the PermissionsSetting in the RDP-Tcp options, using the following command:

wmic.exe /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "DOMAINNAME\PSMAdminConnect",0

Add the Remote Control permission for the PSMAdminConnect user, using the following command:

The value of the DOMAINNAME parameter must be the NetBIOS name.

wmic.exe /namespace:\\root\cimv2\TerminalServices PATH Win32_TSAccount WHERE "TerminalName='RDP-Tcp' AND AccountName='DOMAINNAME\\PSMAdminConnect'" CALL ModifyPermissions TRUE,4

Restart the PSM server.

Validate PSM functionality

Log on to the PVWA and validate PSM functionality.

In addition, check the following:

Make sure the PSMConnect domain user has access to the shared recording folder, by default PSM\Recordings, with the following special permissions: Create files/write data.

Make sure that access is allowed for this folder only and does not include subfolders and files.

Make sure the PSMConnect domain user is denied all other access rights to the shared recording folder, its subfolders and files. This should have been set by the PSM Hardening Script.

Make sure the PSMConnect domain user has access to the components log folder, by default PSM\Logs\Components, with the following special permissions:
- Create files/write data
- List folders/read data
Make sure that access is allowed for this folder only and does not include subfolders and files.

Troubleshooting WMIC command failures

See WMIC command failures KB.