Move PSM application users to the domain level

This topic describes how to move the PSM application users from local users to domain users.

Overview

During PSM installation, the following users are created in the PSM environment on the PSM machine:

User

Description

PSMConnect

Starts PSM sessions on the PSM machine.

PSMAdminConnect

Monitors live privileged sessions.

We strongly recommend that the PSMConnect and PSMAdminConnect users be managed by CPM.

After PSM is installed you can move these users to the domain level.

In some cases the PSM application users cannot remain local users and must be domain users.

When must I move the PSM application users to the domain level?

If you installed PSM (the Connector) on a Windows 2019 or 2022 machine and:

  • You are working with a RDS CAL per-user license.

    And

  • You want to extend PSM sessions beyond one hour.

Create the PSMConnect and PSMAdminConnect users in your domain

Create two users in your domain for replacing the local PSMConnect and PSMAdminConnect users.

 

To support password rotation by the CPM, the User logon name (pre-Windows 2000) setting must contain fewer than 20 characters.

Make sure that the new domain users both belong to the built-in group called Remote Desktop Users. This enables them to log on to the PSM machine.

Make sure that the PSM server machine belongs to the domain where the new users are listed.

Modify the domain users in Active Directory

Modify the Active Directory settings for the PSMConnect and PSMAdminConnect domain users that you created.

  1. In the domain controller, display the Properties window for the PSMConnect domain user.

  2. In the Environment tab, do the following:

    Property

    Description

    Start the following program at logon

    Select this check box.

    Program file name

    In Program file name, enter the full path of the PSMInitSession.exe.

    The default full path is:

    C:\Program Files (x86)\CyberArk\PSM\Components\PSMInitSession.exe

    Start in

    Enter the path where the PSMInitSession.exe will be run.

    The default location is:

    C:\Program Files (x86)\CyberArk\PSM\Components

    Client devices

    Clear all check boxes.

  1. In the Remote Control tab, do the following:

    Property

    Description

    Enable remote control

    Select this check box.

    Require user’s permission

    Clear this check box.

    Level of Control

    Select an option to determine whether other users can monitor or control the PSMConnect domain user’s sessions:

    • View the user's session:  Enables live monitoring of PSM sessions.

    • Interact with the session: Enables live monitoring and taking over PSM sessions.

  2. In the Account tab, do the following: 

    1. Click Log On To to limit the PSMConnect domain user to only log in to PSM servers.

      On the Logon Workstations page, select The following computers, then click Add, to add the PSM machine.

    2. In the Accounts options section, select Password never expires.

    3. Due to the sensitivity of the PSMConnect and PSMAdminConnect credentials, CyberArk strongly recommends, as a security best practice, that their credentials be managed by the CPM. Associate a reconcile account with the platform to ensure successful password rotation.

  1. In the Sessions tab, do the following:

    Property

    Description
    End a disconnected session Select 1 minute.
    Active session limit

    Select Never.

    Disconnect from session Select this option.

    From originating client only

    Select this option.

  1. In the domain controller, display the Properties window for the PSMAdminConnect domain user.

  2. In the Environment tab, do the following:

    Property

    Description
    Start the following program at logon: Select this option.
    Program file name

    Enter the full path of the PSMInitSession.exe.

    The default full path is:

    C:\Program Files (x86)\CyberArk\PSM\Components\PSMInitSession.exe
    Start in

    Enter the folder where you want to run PSMInitSession.exe.

    The default location is:

    C:\Program Files (x86)\CyberArk\PSM\Components
    Client devices Clear all check boxes.

  3. In the Remote Control tab, do the following:

    Property

    Description
    Enable remote control Select this check box.
    Require user’s permission Clear this check box.
    Level of Control

    Select the option to determine whether or not other users will be able to monitor or control the PSMConnect domain user’s sessions:

    • View the user's session: enables live monitoring of PSM sessions.

    • Interact with the session: enables live monitoring and taking over PSM sessions.

  1. In the Account tab, do the following: 

    1. Click Log On To.

    1. On the Logon Workstations window, select The following computers, click Add to add the PSM machine, and then click OK.

    2. Select Password never expires.

       

      Due to the sensitivity of the PSMConnect and PSMAdminConnect credentials, CyberArk strongly recommends, as a security best practice, that their credentials be managed by the CPM. Associate a reconcile account with the platform to ensure successful password rotation.

Harden the Active Directory settings for the new domain users (optional)

We recommend that you follow these best practices for limiting domain users and enhancing their security level.

  1. In the Active Directory, display the Active Directory Users and Computers window. Right-click the domain to which the PSM users belong and select Properties.
  2. In the Properties window, in the Security tab, click Advanced.

  3. In the Advanced Security Settings window, add the PSMConnect and PSMAdminConnect domain users, then click Permission Entry.

    In the Permission Entry window, add the PSMConnect and PSMAdminConnect domain users, then click Permission Entry.

    From the Apply to drop-down list, select All descendant objects.Deny the following permissions:List contentsRead all properties:

As a result of the above procedure, user group policies cannot be applied for these users. If you still choose to deny these permissions for the PSMConnect and PSMAdminConnect domain users, deny them permission to list contents and read all properties on every Active Directory OU apart from CN=System/CN=Policies (which can be accessed through the ADSI Edit tool).

In Modify the domain users in Active Directory PSMConnect and PSMAdminConnect are enabled to log on to PSM machines. We recommend denying these users access to other domain machines.

In a group platform that is applied on every machine in the domain except the PSM server, add a Deny rule that prevents the PSMConnect / PSMAdminConnect domain users from logging in to domain machine.

Create Windows Domain accounts in the Privilege Cloud portal

Log on to the Privilege Cloud portal with your Privilege Cloud admin credentials.

Step 1: Create a dedicated platform for the app users

Duplicate the Windows Domain platform, as described in Add a new platform (duplicate) and give it a meaningful name. For example, WIN-DOM-PSMADMIN-ACCOUNT.

Step 2: Disable the PSM connectors for the platform (optional)

This step is a security best practice.

Open the platform that you have just created for editing, as described in Edit a platform.

In the left pane, expand UI & WorkflowsConnection Components, and change Enabled to No for all the PSM connectors.

Step 3: Create accounts and associate with platform

Create an account for each app user, as described in Add individual accounts manually. When you create the account, do the following:

  1. Select the platform you created in Create a dedicated platform for the app users.

  2. Select the PSM Safe.

  3. When you enter the account properties, under Additional properties, in the Log On To field, enter the NETBIOS name of the domain.

    For example, a domain whose full name is mycompany.com might have the NETBIOS name mycompany_dom, which you would specify in this property.

Step 4: Assign a CPM to the PSM Safe

Open the PSM Safe for editing, as described in Edit a Safe . From the Assign to CPM list, select the CPM that will manage the passwords for the accounts.

Configure PSM to use the new domain accounts

Replace the local accounts defined in the PSM settings with the new domain accounts via the Privilege Cloud Portal.

To configure the PSM server to use the new domain accounts:

  1. In the Privilege Cloud portal, click Administration Configuration Options.
  2. In the left pane, go to ConfigurationsPrivileged Session Management > Configured PSM Servers > {Server Name} > Connection Details.
  3. Under Connection Details, for each PSM server defined, edit the following properties:

Property

Description

Object

Enter the object name of the PSMConnect account, as defined in the Name field in the Account Details page in the Privilege Cloud Portal.

AdminObject

Enter the object name of the PSMAdminConnect account, as defined in the Name field in the Account Details page in the Privilege Cloud Portal.
 

If you are integrated with Remote Access, update the TS Gateway with the same corresponding Object value.

Edit the basic_psm.ini file

  1. On the PSM server, open the basic_psm.ini file, located by default in:

    C:\Program Files (x86)\Cyberark\PSM

  2. Update PSMServerAdminId with the object name of the PSMAdminConnect account, as defined in the Name field in the Account Details page in the Privilege Cloud Portal.

  3. Restart the PSM service.

Edit and run the PSM hardening and Applocker scripts

Step 1: Edit the PSM hardening script

  1. Open the PSMHardening.ps1 file for editing (remove read-only permissions if required). By default, it is located in:

    C:\Program Files (x86)\Cyberark\PSM\Hardening

  2. Edit the following parameters in the file:

    Parameter

    Description

    $PSM_CONNECT_USER

    Replace the local computer name (see $COMPUTER highlighted in the image below) with the domain.

    $PSM_ADMIN_CONNECT_USER

    Replace the local computer name (see $COMPUTER highlighted in the image below) with the domain.

Step 2: Edit the PSM AppLocker script

  1. Open the PSMConfigureAppLocker.ps1 file for editing. By default, it is located in:

    C:\Program Files (x86)\CyberArk\PSM\Hardening

  2. Edit the following parameters in the file:

    Parameter

    Description

    $PSM_CONNECT

    Replace the local computer name (see $COMPUTER highlighted in the image below) with the domain.

    $PSM_ADMIN_CONNECT

    Replace the local computer name (see $COMPUTER highlighted in the image below) with the domain.

Step 3: Run the scripts

Open an elevated PowerShell window and run the following commands:

  
./PSMHardening.ps1
  
./PSMConfigureAppLocker.ps1

Step 4: Restart the Connector server

Make sure that you can authenticate to the Privilege Cloud Portal.

Step 5: Update the Connector server security group

In the Connector local security group (Computer Management>System Tools>Local Users and Groups>Groups and open Remote Desktop Users Properties), ensure that Remote Desktop Users contains the new PSM Domain Accounts :

  • DOMAIN\PSMAdminConnect

  • DOMAIN\PSMConnect

If not, add them locally.

Add applicable accounts to the PSM GPO object

Update the PSM Hardening Group Policy.

 

If Domain GPOs are not applied, edit the Local Group Policy.

To edit the GPO object:

  1. In the Group Policy Management Console, under Group Policy Objects, right-click the newly created GPO and click Edit.

  1. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  1. Double click Allow log on through Remote Desktop Services.

    • If the PSMConnect and PSMAdminConnect users are domain users, add the users with a <Domain> prefix.

    • If the PSMConnect and PSMAdminConnect users were renamed, add the renamed users.

To ensure that unauthorized users do not gain access to the PSM server, make sure that this setting is only allowed for PSMConnect and PSMAdminConnect users and for maintenance users who are required to log on remotely to the PSM server.

Enable local administrators to customize permissions

Adjust the PSM hardening policy to enable local administrators to customize permissions.

To update the PSM hardening policy:

  1. In the Group Policy Management Console, under Group Policy Objects, right-click the PSM hardening GPO and click Edit.
  2. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Do not allow local administrators to customize permissions and set the value to Not configured.

  3. In the Registry, check for the following registry key and delete it after updating the GPO.

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services --> fWritableTSCCPermTab

Validate PSM functionality

Log on to the Privilege Cloud Portal and validate PSM functionality.

In addition, check the following:

  • Make sure the PSMConnect domain user has access to the shared recording folder, by default PSM\Recordings, with the following special permissions: Create files/write data.

    Make sure that access is allowed for this folder only and does not include subfolders and files.

  • Make sure the PSMConnect domain user is denied all other access rights to the shared recording folder, its subfolders and files. This should have been set by the PSM Hardening Script.

  • Make sure the PSMConnect domain user has access to the components log folder, by default PSM\Logs\Components, with the following special permissions:

    • Create files/write data

    • List folders/read data

    Make sure that access is allowed for this folder only and does not include subfolders and files.