Hello all,
I am setting up MIM PAM in my lab environment and I am unable to make it work in the way as described.
CORP forest: one DC Windows 2012 R2
PRIV forest: one DC Windows 2016 TP5 with MIM 2016 SP1 PAM feature only
I have enabled PAM optional feature in PRIV forest. Followed the deployment guide for several times (https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services) and here is my problem.
When I run New-PAMgroup command I get ms-ds-shadowPrincipal created, but not the AD group itself. The PAMgroup has same sourceAccountSID and privAccountSID. It is listed as NOT ACTIVE.
When I run Set-PAMgroup to set the group active it runs, even with verbose no problems are reported but the problem remains. The PAMgroup is not active.
Next, what I tried is to activate users role which has privileges of above group which is shadow group of the group listed as member of Domain Admins in CORP forest. I activated the role and I tried to logon to CORP domain wanting to have Domain Admin privileges. Even more odd is that whoami /groups lists CORP nested groups, but user doesn't have Domain Admin privileges. At last I have also ran ntdsutil group membership evaluation while the role is active and I do not see the user is member of the group. In theory this shouldn't be seen through ntdsutil but I wanted to see what will I get.
At last, please do not ask me if I have followed deployment guide cos I did, several times. So here are my questions:
1. why I don't have AD group created along with ms-ds-shadowPrincipal
2. why is PAMgroup listing the same SID from CORP forest on both source and priv account SID
3. how the solution utilies SID history? Unless the group I don't get should have it which would make the most sense at all.
In event viewer on MIM server I have:
Time bound membership has not been enabled in the PRIV forest. - this is also something I do not know how to enable.
thx for advice