Move PSM application users to the domain

level (ISPSS)
This topic describes how to move the PSM application users from local users to domain users.

Note:

To perform this action, you will need the help of Privilege Cloud Support.

Overview
During PSM installation, the following users are created in the PSM environment on the PSM
machine:

User Description

PSMConnect Starts PSM sessions on the PSM machine.

PSMAdminConnect Monitors live privileged sessions.

Note:

We strongly recommend that the PSMConnect and PSMAdminConnect users be

managed by CPM.

Note:

We strongly recommend that the PSMConnect and PSMAdminConnect users be

managed automatically for secrets rotation.

After PSM is installed you can move these users to the domain level.
In some cases the PSM application users cannot remain local users and must be domain
users.

When must I move the PSM application users to the domain

level?
If you installed PSM (the Connector) on a Windows 2019 or 2022 machine and:

You are working with a RDS CAL per-user license.

And

You want to extend PSM sessions beyond one hour.

Create the PSMConnect and PSMAdminConnect users in

your domain
Create two users in your domain for replacing the local PSMConnect and PSMAdminConnect
users.

Note
To support secretspassword rotation, the User logon name (pre-Windows 2000) setting
must contain fewer than 20 characters.

Make sure that the new domain users both belong to the built-in group called Remote Desktop
Users. This enables them to log on to the PSM machine.

Make sure that the PSM server machine belongs to the domain where the new users are listed.

Modify the domain users in Active Directory

Modify the Active Directory settings for the PSMConnect and PSMAdminConnect domain users
that you created.

PSMConnect
PSMAdminConnect
1. In the domain controller, display the Properties window for the PSMConnect domain user.

2. In the Environment tab, do the following:

 Property Description

Start the following Select this check box.

program at logon

Program file name In Program file name, enter the full path of the
PSMInitSession.exe.
The default full path is:
C:\Program Files
(x86)\CyberArk\PSM\Components\PSMInitSession.exe

Start in Enter the path where the PSMInitSession.exe will be run.

The default location is:
C:\Program Files (x86)\CyberArk\PSM\Components

Client devices Clear all check boxes.

3. In the Remote Control tab, do the following:

 Property Description

Enable remote Select this check box.

control

Require user’s Clear this check box.

permission

Level of Control Select an option to determine whether other users can monitor or
control the PSMConnect domain user’s sessions:
View the user's session: Enables live monitoring of PSM
sessions.
Interact with the session: Enables live monitoring and taking
over PSM sessions.

4. In the Account tab, do the following:

 a. Click Log On To to limit the PSMConnect domain user to only log in to PSM servers.

On the Logon Workstations page, select The following computers, then click Add,
to add the PSM machine.

b. In the Accounts options section, select Password never expires.

c. Due to the sensitivity of the PSMConnect and PSMAdminConnect credentials,

CyberArk strongly recommends, as a security best practice, that their credentials be
managed by the CPMSecrets Rotation. Associate a reconcile account with the platform
to ensure successful password rotation. See manage accounts.
5. In the Sessions tab, do the following:
 Property Description

End a disconnected session Select 1 minute.

Active session limit Select Never.

Disconnect from session Select this option.

From originating client only Select this option.

1. In the domain controller, display the Properties window for the PSMAdminConnect
domain user.

2. In the Environment tab, do the following:

 Property Description

Start the following Select this option.

program at logon:

Program file name Enter the full path of the PSMInitSession.exe.

The default full path is:
C:\Program Files
(x86)\CyberArk\PSM\Components\PSMInitSession.exe

Start in Enter the folder where you want to run PSMInitSession.exe.

The default location is:
C:\Program Files (x86)\CyberArk\PSM\Components

Client devices Clear all check boxes.

3. In the Remote Control tab, do the following:

 Property Description

Enable remote Select this check box.

control

Require user’s Clear this check box.

permission

Level of Control Select the option to determine whether or not other users will be able to
monitor or control the PSMConnect domain user’s sessions:
View the user's session: enables live monitoring of PSM
sessions.
Interact with the session: enables live monitoring and taking over
PSM sessions.

4. In the Account tab, do the following:

 a. Click Log On To.
b. On the Logon Workstations window, select The following computers, click Add to
add the PSM machine, and then click OK.

c. Select Password never expires.

Caution
Due to the sensitivity of the PSMConnect and PSMAdminConnect credentials,
CyberArk strongly recommends, as a security best practice, that their credentials
be managed by the CPMSecrets Rotation. Associate a reconcile account with
the platform to ensure successful password rotation. See manage accounts.

Harden the Active Directory settings for the new domain

users (optional)
We recommend that you follow these best practices for limiting domain users and enhancing
their security level.

Deny the PSMConnect and PSMAdminConnect domain users from reading and
listing all the descendant Active Directory objects
1. In the Active Directory, display the Active Directory Users and Computers window.
Right-click the domain to which the PSM users belong and select Properties.
2. In the Properties window, in the Security tab, click Advanced.

3. In the Advanced Security Settings window, add the PSMConnect and

PSMAdminConnect domain users, then click Permission Entry.

In the Permission Entry window, add the PSMConnect and PSMAdminConnect

domain users, then click Permission Entry.

From the Apply to drop-down list, select All descendant objects.Deny the following
permissions:List contentsRead all properties:

As a result of the above procedure, user group policies cannot be applied for these users. If
you still choose to deny these permissions for the PSMConnect and PSMAdminConnect
domain users, deny them permission to list contents and read all properties on every Active
Directory OU apart from CN=System/CN=Policies (which can be accessed through the
ADSI Edit tool).
 Enable the PSMConnect and PSMAdminConnect domain users to log on to the
PSM machine only
In Modify the domain users in Active Directory PSMConnect and PSMAdminConnect are
enabled to log on to PSM machines. We recommend denying these users access to other
domain machines.

In a group platform that is applied on every machine in the domain except the PSM server,
add a Deny rule that prevents the PSMConnect / PSMAdminConnect domain users from
logging in to domain machine.

Create Windows Domain accounts in the Privileged Cloud

portal
Log on to the Privileged Cloud portal with your Privilege Cloud admin credentials.

Step 1: Create a dedicated platform for the app users

Duplicate the Windows Domain platform, as described in Add a new platform (duplicate) and
give it a meaningful name. For example, WIN-DOM-PSMADMIN-ACCOUNT.

Step 2: Disable the PSM connectors for the platform (optional)

This step is a security best practice.

Open the platform that you have just created for editing, as described in Edit a platform.

In the left pane, expand UI & Workflows > Connection Components, and change Enabled to
No for all the PSM connectors.

Step 3: Assign your organization's administrators to the PSM Safe

For this step, you will require the help of CyberArk Support.

1. Contact CyberArk Support to enable permissions for adding accounts. Support will assign
you temporary permissions to manage user access to the PSM Safe.

When done they will notify you, and you can continue from the next steps.

2. In Identity Administration Administration portal, login using your customer administrator

user, create the custom role Privilege Cloud Session Admin and assign it as member to
the Privilege Cloud Administrators group:

a. In Identity Administration, click Roles and click Add.

b. Add a new role Privilege Cloud Session Admin and in the Members tab add the
Privilege Cloud Administrators group.
 See .
3. In Privilege Cloud Portal assign the Privilege Cloud Session Admin role to the PSM Safe
with full permissions:
a. Access Safes view, select PSM Safe, select Members and click Add Members.
b. Set the Source field to System Component Users. In the Search field, enter session
admin and click Search. In the resulting list select Privilege Cloud Session Admin,
and click Next .

c. In Set Permissions select Full and click Add.

For details, see Add a Safe member.

All members of the group Privilege Cloud Administrators are now members of this
Safe.

4. Notify CyberArk Support that the assignment is complete.

5. CyberArk Support will cancel your Safe management permissions and will instruct you to
continue with Create accounts and associate with platform.

Step 4: Create accounts and associate with platform

Create an account for each app user, as described in Add an account. When you create the
account, do the following:

1. Select the platform you created in Create a dedicated platform for the app users.

2. Select the PSM Safe.

3. When you enter the account properties, under Additional properties, in the Log On To
field, enter the NETBIOS name of the domain.

For example, a domain whose full name is mycompany.com might have the NETBIOS
name mycompany_dom, which you would specify in this property.

Step 5: Assign a CPM to the PSM Safe

Open the PSM Safe for editing, as described in Manage Safes. From the Assign to CPM list,
select the CPM that will manage the passwords for the accounts.

Configure PSM to use the new domain accounts

Replace the local accounts defined in the PSM settings with the new domain accounts via the
Privilege Cloud Portal.

To configure the PSM server to use the new domain accounts:

1. In the Privileged Cloud portal, click Administration > Configuration Options.

2. In the left pane, go to Configurations > Privileged Session Management > Configured
PSM Servers > {Server Name} > Connection Details.
3. Under Connection Details, for each PSM server defined, edit the following properties:

Property Description

Object Enter the object name of the PSMConnect account, as defined in the Account
Name field in the Account Details page in the Privilege Cloud Portal.

AdminObject Enter the object name of the PSMAdminConnect account, as defined in the
Account Name field in the Account Details page in the Privilege Cloud Portal.

Note
If you are integrated with Remote Access, update the TS Gateway with the same corresponding
Object value.

Edit the basic_psm.ini file

1. On the PSM server, open the basic_psm.ini file, located by default in:

C:\Program Files (x86)\Cyberark\PSM

2. Update PSMServerAdminId with the object name of the PSMAdminConnect account, as

defined in the Name field in the Account Details page in the Privilege Cloud Portal.

3. Restart the PSM service.

Run the PSM Hardening and Applocker scripts

1. Open an elevated PowerShell window and navigate to the PSM Hardening directory
(usually C:\Program Files (x86)\CyberArk\PSM\Hardening).

2. Run the following commands:

a. Execute PSMHardening.ps1 with the following command:

.\PSMHardening.ps1 -connectionUserName <PSMConnect

username> -connectionUserDomain <DomainName> -
connectionAdminUserName <PSMAdminConnect username> -
connectionAdminUserDomain <DomainName>

b. Execute PSMConfigureAppLocker.ps1 with the following command:

 .\PSMConfigureAppLocker.ps1 -connectionUserName <PSMConnect
username> -connectionUserDomain <DomainName> -
connectionAdminUserName <PSMAdminConnect username> -
connectionAdminUserDomain <DomainName>

3. Restart the PSM machine.

Update the Connector server security group

In the Connector local security group (Computer Management>System Tools>Local Users
and Groups>Groups and open Remote Desktop Users Properties), ensure that Remote
Desktop Users contains the new PSM Domain Accounts :

DOMAIN\PSMAdminConnect

DOMAIN\PSMConnect

If not, add them locally.

Add applicable accounts to the PSM GPO object

Update the PSM Hardening Group Policy.

Note
If Domain GPOs are not applied, edit the Local Group Policy.

To edit the GPO object:

1. In the Group Policy Management Console, under Group Policy Objects, right-click the
newly created GPO and click Edit.
2. Go to Computer Configuration > Policies > Windows Settings > Security Settings >
Local Policies > User Rights Assignment.

3. Double click Allow log on through Remote Desktop Services.

If the PSMConnect and PSMAdminConnect users are domain users, add the users
with a <Domain> prefix.
 If the PSMConnect and PSMAdminConnect users were renamed, add the renamed
users.
To ensure that unauthorized users do not gain access to the PSM server, make sure that
this setting is only allowed for PSMConnect and PSMAdminConnect users and for
maintenance users who are required to log on remotely to the PSM server.

Enable local administrators to customize permissions

Adjust the PSM hardening policy to enable local administrators to customize permissions.

To update the PSM hardening policy:

1. In the Group Policy Management Console, under Group Policy Objects, right-click the PSM
hardening GPO and click Edit.
2. Go to Computer Configuration > Policies > Administrative Templates > Windows
Components > Remote Desktop Services > Remote Desktop Session Host > Security
> Do not allow local administrators to customize permissions and set the value to Not
configured.
3. In the Registry, check for the following registry key and delete it after updating the GPO.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -

-> fWritableTSCCPermTab

Configure the Remote Desktop Session on the PSM

server
Adjust the permissions of the PSMAdminConnect domain user so that it can monitor and
control the PSMConnect domain user.

To configure the RDS:

1. From a command line, run the wmic tool to connect to the PSM server.

2. Add the DOMAIN\PSMAdminConnect object to the PermissionsSetting in the RDP-Tcp

options, using the following command:

wmic.exe /namespace:\\root\CIMV2\TerminalServices PATH

Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL
AddAccount "DOMAINNAME\PSMAdminConnect",0

3. Add the Remote Control permission for the PSMAdminConnect user, using the following
command:
 Note
The value of the DOMAINNAME parameter must be the NetBIOS name.

wmic.exe /namespace:\\root\cimv2\TerminalServices PATH

Win32_TSAccount WHERE "TerminalName='RDP-Tcp' AND
AccountName='DOMAINNAME\\PSMAdminConnect'" CALL
ModifyPermissions TRUE,4

4. Restart the PSM server.

Validate PSM functionality

Log on to the Privilege Cloud Portal and validate PSM functionality.

In addition, check the following:

Make sure the PSMConnect domain user has access to the shared recording folder, by
default PSM\Recordings, with the following special permissions: Create files/write data.

Make sure that access is allowed for this folder only and does not include subfolders and
files.

Make sure the PSMConnect domain user is denied all other access rights to the shared
recording folder, its subfolders and files. This should have been set by the PSM Hardening
Script.

Make sure the PSMConnect domain user has access to the components log folder, by
default PSM\Logs\Components, and its subfolders, with the following special
permissions:

Create files/write data

List folders/read data