Installing the PAM360 Agent in Endpoints via Windows Group Policy Objects (GPO)

This document details the steps needed to install the PAM360 Agent in multiple endpoints using Windows Group Policy Objects (GPO). Click here to download the PAM360-Agent-Script zip file. Unzip the file and extract the PAM360AgentInstallationScript.ps1 and PAM360AgentUninstallationScript.ps1 files.

Ensure the below SHA256 value upon downloading the file:
SHA256 Checksum:  

Prerequisites

  • Refer to the steps detailed in this help page, download the PAM360 agent installation zip from the PAM360 interface, and copy the Agent Key. Save the key in a secure location—this must be added to the PAM360 PowerShell script later.
  • If you already have agents installed in the endpoints, follow these steps to uninstall the agents in bulk using the uninstallation script. This script will uninstall both the C++ and C agents.
  • Create Domain with all the target machines that need to be included in the GPO to be the endpoints where the agent is to be installed.

Steps to Create a GPO in the Domain and add Target Machines

  1. Open Server Manager. In the top right corner, click Tools >> Group Policy Management.
  2. Right click the Domain name and click the option Create a GPO in this domain, and Link it here.
    agent-gpo-1.png
  3. Enter a name for the new GPO and save - AgentGPO Provide a name for the new GPO, for example: AgentGPO. Now, click the newly created GPO. Under Scope >> Security Filtering, click Add. In the Select User, Computer, or Group window, enter the target machine names or the name of the group name that contains all the target endpoints, or enter the names of the target machines individually and click OK.
    agent-gpo-2.png agent-gpo-3.png
  4. Switch to the Delegations tab. Right click the group you added and provide full access permission as shown below.
    agent-gpo-4.png You have successfully created a Group Policy and added the target machines where the PAM360 Agent is to be installed.

Steps to Add the Installation Script and Agent Installation Zip in the GPO

  1. Now right click the GPO name from the left pane and click Edit settings, delete, modify security. The Group Policy Management editor window will open.
    agent-gpo-5.png
  2. Expand the Policies >> Windows Settings folders. Double click Scripts. In the Scripts window, click Startup and then click Properties.
    agent-gpo-6.png
  3. Switch to the PowerShell Scripts tab and click Show Files. The network directory will open up. Copy the path of the network location.
    agent-gpo-7.png
  4. Open the extracted PAM360AgentInstallationScript.ps1 file and do the steps as follows:
    1. Add the network location path copied in the previous step as the source variable. for example - "\\zylker.com \SysVol\zylker.com\Policies\{33A6F6BE-4A9E-4CCA-AB5A-7C96E14F2ACB}\Machine\Scripts\Startup\PAM360_WindowsAgent_CS.zip".
    2. Add a desired destination path, for example, c:\Program Files. This is the location where the agent will be installed in the target endpoints, so ensure that this path is available in all the target machines.
    3. Append the following data beside "./AgentInstaller.exe install $args" as required:
      1. If you are installing the agent as a service for password management, self-service privilege elevation, and zero trust implementation, enter 1,2,3. For example, ./AgentInstaller.exe install $args 1,2,3
      2. If you are installing the agent as a service for password management, enter 1. For example, ./AgentInstaller.exe install $args 1
      3. If you are installing the agent as a service for self-service privilege elevation, enter 2. For example, ./AgentInstaller.exe install $args 2
      4. If you are installing the agent as a service for zero trust implementation, enter 3. For example, ./AgentInstaller.exe install $args 3.
        You can also enter a different combination based on your agent installation requirements.
  5. Now, paste the PAM360 agent PowerShell script file and the Agent installation zip in the GPO network location.
    pam-agent-gpo-8.png
  6. pam-agent-gpo-9.png
  7. Click Add, add the 'PAM360AgentInstallationScript' file name under Script Name and the Agent installation key copied from PAM360 under Script Parameters. Click Apply and OK again to save the settings.
  8. In the GPO editor, expand Administrative Templates in the left pane. Expand the System folder under it and open Group Policy.
  9. Under the Group Policy folder, right click Specify workplace connectivity wait time for policy processing.
    agent-gpo-12.png agent-gpo-13.png agent-gpo-14.png agent-gpo-15.png
  10. In this window, click the Enabled option. Enter the Amount of time to wait as 120 seconds. Click Apply and click OK to save the settings.
    agent-gpo-16.png
  11. The GPO will be applied. Once you restart all the target endpoints, the PAM360 Agent PowerShell script will be invoked and the agent will be installed in the target machines.
  12. After successful installation of the agent, disable the startup script for the GPO you created (AgentGPO in this example). This will ensure that the script is not invoked every time the target machines are restarted.

Troubleshooting Steps

Ensure that the AgentGPO has a higher precedence than the other GPOs. This is to make sure that the other GPOs don't override the permissions of the AgentGPO.

To check this, click the GPO name, right click the Enforced option and check if it is enabled.

agent-gpo-17.png