Move PSM application users to the domain level

This topic describes how to move the PSM application users from local users to domain users.

To perform this action, you will need the help of Privilege Cloud Support.

Overview

During PSM installation, the following users are created in the PSM environment on the PSM machine:

User

Description

PSMConnect

Starts PSM sessions on the PSM machine.

PSMAdminConnect

Monitors live privileged sessions.

We strongly recommend that the PSMConnect and PSMAdminConnect users be managed by CPM.

After PSM is installed you can move these users to the domain level.

In some cases the PSM application users cannot remain local users and must be domain users.

When must I move the PSM application users to the domain level?

If you installed PSM (the Connector) on a Windows 2019 or 2022 machine and:

  • You are working with a RDS CAL per-user license.

    And

  • You want to extend PSM sessions beyond one hour.

Create the PSMConnect and PSMAdminConnect users in your domain

Create two users in your domain for replacing the local PSMConnect and PSMAdminConnect users.

 

To support password rotation by the CPM, the User logon name (pre-Windows 2000) setting must contain fewer than 20 characters.

Make sure that the new domain users both belong to the built-in group called Remote Desktop Users. This enables them to log on to the PSM machine.

Make sure that the PSM server machine belongs to the domain where the new users are listed.

Modify the domain users in Active Directory

Modify the Active Directory settings for the PSMConnect and PSMAdminConnect domain users that you created.

  1. In the domain controller, display the Properties window for the PSMConnect domain user.

  2. In the Environment tab, do the following:

    Property

    Description

    Start the following program at logon

    Select this check box.

    Program file name

    In Program file name, enter the full path of the PSMInitSession.exe.

    The default full path is:

    C:\Program Files (x86)\CyberArk\PSM\Components\PSMInitSession.exe

    Start in

    Enter the path where the PSMInitSession.exe will be run.

    The default location is:

    C:\Program Files (x86)\CyberArk\PSM\Components

    Client devices

    Clear all check boxes.

  1. In the Remote Control tab, do the following:

    Property

    Description

    Enable remote control

    Select this check box.

    Require user’s permission

    Clear this check box.

    Level of Control

    Select an option to determine whether other users can monitor or control the PSMConnect domain user’s sessions:

    • View the user's session:  Enables live monitoring of PSM sessions.

    • Interact with the session: Enables live monitoring and taking over PSM sessions.

  2. In the Account tab, do the following: 

    1. Click Log On To to limit the PSMConnect domain user to only log in to PSM servers.

      On the Logon Workstations page, select The following computers, then click Add, to add the PSM machine.

    2. In the Accounts options section, select Password never expires.

    3. Due to the sensitivity of the PSMConnect and PSMAdminConnect credentials, CyberArk strongly recommends, as a security best practice, that their credentials be managed by the Secrets Rotation. Associate a reconcile account with the platform to ensure successful password rotation.

  1. In the Sessions tab, do the following:

    Property

    Description

    End a disconnected session Select 1 minute.
    Active session limit

    Select Never.

    Disconnect from session Select this option.

    From originating client only

    Select this option.

  1. In the domain controller, display the Properties window for the PSMAdminConnect domain user.

  2. In the Environment tab, do the following:

    Property

    Description

    Start the following program at logon: Select this option.
    Program file name

    Enter the full path of the PSMInitSession.exe.

    The default full path is:

    C:\Program Files (x86)\CyberArk\PSM\Components\PSMInitSession.exe

    Start in

    Enter the folder where you want to run PSMInitSession.exe.

    The default location is:

    C:\Program Files (x86)\CyberArk\PSM\Components
    Client devices Clear all check boxes.
  3. In the Remote Control tab, do the following:

    Property

    Description

    Enable remote control Select this check box.
    Require user’s permission Clear this check box.
    Level of Control

    Select the option to determine whether or not other users will be able to monitor or control the PSMConnect domain user’s sessions:

    • View the user's session: enables live monitoring of PSM sessions.

    • Interact with the session: enables live monitoring and taking over PSM sessions.

  1. In the Account tab, do the following: 

    1. Click Log On To.
    1. On the Logon Workstations window, select The following computers, click Add to add the PSM machine, and then click OK.

    2. Select Password never expires.

       

      Due to the sensitivity of the PSMConnect and PSMAdminConnect credentials, CyberArk strongly recommends, as a security best practice, that their credentials be managed by the CPM. Associate a reconcile account with the platform to ensure successful password rotation.

Harden the Active Directory settings for the new domain users (optional)

We recommend that you follow these best practices for limiting domain users and enhancing their security level.

Create Windows Domain accounts in the Privilege Cloud portal

Log on to the Privilege Cloud portal with your Privilege Cloud admin credentials.

Step 1: Create a dedicated platform for the app users

Duplicate the Windows Domain platform, as described in Add a new platform (duplicate) and give it a meaningful name. For example, WIN-DOM-PSMADMIN-ACCOUNT.

Step 2: Disable the PSM connectors for the platform (optional)

This step is a security best practice.

Open the platform that you have just created for editing, as described in Edit a platform.

In the left pane, expand UI & WorkflowsConnection Components, and change Enabled to No for all the PSM connectors.

Step 3: Assign your organization's administrators to the PSM Safe

For this step, you will require the help of CyberArk Support.

  1. Contact CyberArk Support to enable permissions for adding accounts. Support will assign you temporary permissions to manage user access to the PSM Safe.

    When done they will notify you, and you can continue from the next steps.

  2. In Identity Administration Administration portal, login using your customer administrator user, create the custom role Privilege Cloud Session Admin and assign it as member to the Privilege Cloud Administrators group:

    1. In Identity Administration, click Roles and click Add.

    2. Add a new role Privilege Cloud Session Admin and in the Members tab add the Privilege Cloud Administrators group.

      See .

  3. In Privilege Cloud Portal assign the Privilege Cloud Session Admin role to the PSM Safe with full permissions:
    1. Access Safes view, select PSM Safe, select Members and click Add Members.
    2. Set the Source field to System Component Users. In the Search field, enter session admin and click Search. In the resulting list select Privilege Cloud Session Admin, and click Next .

    3. In Set Permissions select Full and click Add.

      For details, see Add a Safe member.

      All members of the group Privilege Cloud Administrators are now members of this Safe.

  4. Notify CyberArk Support that the assignment is complete.

  5. CyberArk Support will cancel your Safe management permissions and will instruct you to continue with Create accounts and associate with platform.

Step 4: Create accounts and associate with platform

Create an account for each app user, as described in . When you create the account, do the following:

  1. Select the platform you created in Create a dedicated platform for the app users.

  2. Select the PSM Safe.

  3. When you enter the account properties, under Additional properties, in the Log On To field, enter the NETBIOS name of the domain.

    For example, a domain whose full name is mycompany.com might have the NETBIOS name mycompany_dom, which you would specify in this property.

Step 5: Assign a CPM to the PSM Safe

Open the PSM Safe for editing, as described in  . From the Assign to CPM list, select the CPM that will manage the passwords for the accounts.

Configure PSM to use the new domain accounts

Replace the local accounts defined in the PSM settings with the new domain accounts via the Privilege Cloud Portal.

To configure the PSM server to use the new domain accounts:

  1. In the Privilege Cloud portal, click Administration Configuration Options.
  2. In the left pane, go to ConfigurationsPrivileged Session Management > Configured PSM Servers > {Server Name} > Connection Details.
  3. Under Connection Details, for each PSM server defined, edit the following properties:

Property

Description

Object

Enter the object name of the PSMConnect account, as defined in the Name field in the Account Details page in the Privilege Cloud Portal.

AdminObject

Enter the object name of the PSMAdminConnect account, as defined in the Name field in the Account Details page in the Privilege Cloud Portal.

 

If you are integrated with Remote Access, update the TS Gateway with the same corresponding Object value.

Edit the basic_psm.ini file

  1. On the PSM server, open the basic_psm.ini file, located by default in:

    C:\Program Files (x86)\Cyberark\PSM

  2. Update PSMServerAdminId with the object name of the PSMAdminConnect account, as defined in the Name field in the Account Details page in the Privilege Cloud Portal.

  3. Restart the PSM service.

Run the PSM Hardening and Applocker scripts

  1. Open an elevated PowerShell window and navigate to the PSM Hardening directory (usually C:\Program Files (x86)\CyberArk\PSM\Hardening).

  2. Run the following commands:

    1. Execute PSMHardening.ps1 with the following command:

       
      .\PSMHardening.ps1 -connectionUserName <PSMConnect username> -connectionUserDomain <DomainName> -connectionAdminUserName <PSMAdminConnect username> -connectAdminUserDomain <DomainName>
    2. Execute PSMConfigureAppLocker.ps1 with the following command:

       
      .\PSMConfigureAppLocker.ps1 -connectionUserName <PSMConnect username> -connectionUserDomain <DomainName> -connectionAdminUserName <PSMAdminConnect username> -connectAdminUserDomain <DomainName>
  3. Restart the PSM machine.

Update the Connector server security group

In the Connector local security group (Computer Management>System Tools>Local Users and Groups>Groups and open Remote Desktop Users Properties), ensure that Remote Desktop Users contains the new PSM Domain Accounts :

  • DOMAIN\PSMAdminConnect

  • DOMAIN\PSMConnect

If not, add them locally.

Add applicable accounts to the PSM GPO object

Update the PSM Hardening Group Policy.

 

If Domain GPOs are not applied, edit the Local Group Policy.

To edit the GPO object:

  1. In the Group Policy Management Console, under Group Policy Objects, right-click the newly created GPO and click Edit.
  1. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  1. Double click Allow log on through Remote Desktop Services.
    • If the PSMConnect and PSMAdminConnect users are domain users, add the users with a <Domain> prefix.

    • If the PSMConnect and PSMAdminConnect users were renamed, add the renamed users.

To ensure that unauthorized users do not gain access to the PSM server, make sure that this setting is only allowed for PSMConnect and PSMAdminConnect users and for maintenance users who are required to log on remotely to the PSM server.

Enable local administrators to customize permissions

Adjust the PSM hardening policy to enable local administrators to customize permissions.

To update the PSM hardening policy:

  1. In the Group Policy Management Console, under Group Policy Objects, right-click the PSM hardening GPO and click Edit.
  2. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Do not allow local administrators to customize permissions and set the value to Not configured.
  3. In the Registry, check for the following registry key and delete it after updating the GPO.

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services --> fWritableTSCCPermTab

Validate PSM functionality

Log on to the Privilege Cloud Portal and validate PSM functionality.

In addition, check the following:

  • Make sure the PSMConnect domain user has access to the shared recording folder, by default PSM\Recordings, with the following special permissions: Create files/write data.

    Make sure that access is allowed for this folder only and does not include subfolders and files.

  • Make sure the PSMConnect domain user is denied all other access rights to the shared recording folder, its subfolders and files. This should have been set by the PSM Hardening Script.

  • Make sure the PSMConnect domain user has access to the components log folder, by default PSM\Logs\Components, and its subfolders, with the following special permissions:

    • Create files/write data

    • List folders/read data