13 thoughts on “MIM 2016: Setting up Privileged Access Management (PAM) in an existing Forest using the built-in PAM Tool

  1. Pingback: MIM 2016 and PAM Goodness - Scott Eastin

  2. Thanks for this beautifully written article.
    Still one doubt , how did you choose the users. In your scenario i agree we are already using MIM for lot of other things like Provisioning. But if someone is not doing the same then we need to run new-pamuser cmd. Let me know if am right ?


  3. Hello,

    Thank you for a wonderful post.

    I have a question , in my scenario i have a main forest abc.no and a child domain pqr.abc.no( this is where all the users are stored) as a part of PAM i created a bastian forest xyz.priv and have seperate MIM.
    When establishing a trust do i need to establish between abc.no and xyz.priv or the child domain and xyz.priv?
    I am actually confused here as if i do at forest level will the trust extend till child domain as all users are there and all the IT admins as well.
    Pls assist.


  4. Hi Ike, I have set all this up, and while the groups are being updated, the component service removes the user before the expiration of the request. Any ideas?


    • Wow thanks for coming back so quickly. The TTL is set to 3600 (1 Hour). I havent changed the default polling time, so should be 10 minutes. I will confirm the system clock, though I have been making the requests directly from the MIM server.

      Do you know of any way to log the actions of the component service? Or how it determines when to remove the user?


      • Thanks for the pointer – I fell for the old gotcha in a Dev environment – I hadnt updated the Timezone in the MIM Portal. I have since tested, and its working as expected.


  5. unfortunately there is no option to log the component service. Take a look at my Github tool it has more explanation. The component monitors the expiration time attribute of the PAM request, you have to see what the time stamp is on that attribute, that will give you an idea of how MIM is calculating the expiration time and if its what you expect.

    Liked by 1 person

  6. Hi Ike…We have set up a greenfields environment for the PAM Bastion. We are not shadowing users from Corp…all Privileged accounts are created in the Bastion. To save privileged users logging in through jump servers to check if they have requests to approve or to see if their requests have been approved, how can PAM be configured to send notifications to the various actors. We are planning to implement an SMTP gateway in the Bastion.
    Thanks Jeff.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s