Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Windows on-prem workload bootstrap Error

Nagendra
New Contributor II
New Contributor II
Hi Team,
 
We are experiencing difficulties bootstrapping Windows on-prem workloads. If anyone has any comments or suggestions, please reply to us.
 
1. We are in the process of bootstrapping a Windows on-prem workload. Before bootstrapping, we are attempting to import the accounts. While importing the account, we observe that the account task is running for the user who initiated the import job and the account for that user is created imported under the workload. Can you please confirm if this is the expected behavior?
 
2. Do we need to manually create the credential and credentialless shared accounts (as mentioned in the PAM_CONFIG) on target endpoint system? or Will Saviynt create the accounts on the endpoint during the bootstrap process?
 
Regards,
Nagendra
3 REPLIES 3

NageshK
Saviynt Employee
Saviynt Employee

@Nagendra Thanks for posting your question. Your first question is not clear. Are you asking if the account import process will associate the accounts to the user who triggered the job? No, that is not how it works. Also, PAM Bootstrap job will internally trigger account import and pull in the accounts from the target system where the target system is a linux, windows and database. However if you are looking for correlating accounts to the users then you will have to trigger account import separately. 

For the second question : Yes, the accounts mentioned in PAM_CONFIG's IDQuery* sections should be present in the target prior to the bootstrap. Saviynt will not create them

Thanks,

Nagesh K 

Nagendra
New Contributor II
New Contributor II

@NageshK Thanks for replying.

Regarding the first question is, We observed that when bootstrapping on-premises windows workload, a new connection, SS, and EP were created. However, within the newly created Windows endpoints, an account named "<User>" was created as "FIREFIGHTERID." "<User>" refers to the person who executed the pambootstrap job.Is this the intended behavior?

NageshK
Saviynt Employee
Saviynt Employee

@Nagendra That is not expected. After bootstrap you are expected to see the accounts, at least one local account that is present on the server.  The account with <user> is probably due to the JIT launch that someone might had performed post the bootstrap. Do you see this server showing up for request? And what is the PAM State of the endpoint? (you will find this in the PAM Attributes tab of the Endpoint)

Thanks,

Nagesh K