Internal PSM Users

Rename the PSM users

  1. Rename the local PSMConnect and/or PSMAdminConnect users.

  2. Stop the PSM service.

  3. In the PVWA, display the Accounts list.

  4. On the Search toolbar, click Go to begin a search for all the accounts that you have access to. Leave the search field empty to search for all managed accounts.

  5. In all PSMConnect and PSMAdminConnect accounts, change the following properties:

    UserName – Specify the new username of the PSM user. For example, PSMConnect2 or PSMAdminConnect2.

  6. Click Save to save the new account properties.

  7. Restart the PSM.

Configure Permissions for the new PSMConnect User in the PSM Server

  1. Make sure the PSMConnect user has access to the shared recording folder, by default PSM\Recordings, with the following special permission:

    Create files/write data

    Make sure that access is allowed for this folder only and does not include subfolders and files.

  2. Make sure the PSMConnect user is denied all other access rights to the shared recording folder, its subfolders and files. This should have been set by the PSM Hardening Script.

  3. Make sure the PSMConnect user has access to the components log folder, by default PSM\Logs\Components, with the following special permission:

    Create files/write data

    Make sure that access is allowed for this folder only and does not include subfolders and files.

Configure Permissions for the new PSMAdminConnect User in the PSM Server

Verify that the PSMAdminConnect user has the following permissions in the PSM server.

  • Verify that the PSMAdminConnect user has access to the components log folder, by default PSM\Logs\Components, with the following special permission:

  • Create files/write data

  • Make sure that access is allowed for this folder only, without including subfolders and files.

Configure the PSM Hardening Script

  1. Remove the read-only permissions from the PSMHardening.ps1 file.

  2. Using Notepad, open the PSM hardening script. By default, it is stored in the following location:

    C:\Program Files (x86)\CyberArk\PSM\Hardening\PSMHardening.ps1

  3. Change the value of the $PSM_CONNECT_USER variable from "$COMPUTER\PSMConnect" to the new user name.

    For example, if the new PSMConnect user name is PSMConnect2, specify "$COMPUTER\PSMConnect2".

  4. Change the value of the $PSM_ADMIN_CONNECT_USER variable from "$COMPUTER\PSMAdminConnect" to the new user name.

    For example, if the new PSMAdminConnect user name is PSMAdminConnect2, specify "$COMPUTER\PSMAdminConnect2".

  1. In a PowerShell window, open the PSM_INSTALLATION\Hardening folder and run the PSM hardening script, using following command:

     
    ./PSMHardening.ps1

Configure the PSM AppLocker Script

  1. Using Notepad, open the PSM AppLocker script.

    By default, it is stored in the following location:
    C:\Program Files (x86)\CyberArk\PSM\Hardening\PSMConfigureAppLocker.ps1

  2. Change the value of the $PSM_CONNECT variable from "PSMConnect" to the new user name.

    For example, if the new user is called PSMConnect2, specify "PSMConnect2", as shown below.

     
    $PSM_CONNECT        = "PSMConnect2"
  3. Change the value of the $PSM_ADMIN_CONNECT variable from "PSMAdminConnect" to the new user name.

    For example, if the new user is called PSMAdminConnect2, specify "PSMAdminConnect2", as shown below.

     

    $PSM_ADMIN_CONNECT  = "PSMAdminConnect2"

  4. In a PowerShell window, open the PSM_INSTALLATION\Hardening folder and run the PSM AppLocker script, using following command:

     

    ./PSMConfigureAppLocker.ps1

Change the PSMConnect and PSMAdminConnect Account Names

During PSM installation, the PSMConnect and PSMAdminConnect accounts are created for use by the PSM.

The following procedure describes how to change these account names.