Collected some issues I met during working on CPM.
- Safe not found
- CPM Password Rotating Policy Not Working
- CPM Change Password Failed
Table of Contents
Safe not found
CACPM177E Error while creating extra passwords section -Safe not found
Usually it is caused because there is no CPM server assigned for this Safe.
Master Policy Rotating Password Not Working
Here are some settings for daily rotation at assigned time:
1. created exception on master policy to let the password expire every 2 days and set HeadStartInterval value to 1 day. So CPM can change password everyday.
2. set PasswordChange-> ExecutionDays-> Sun,Mon,Tue,Wed,Thu,Fri,Sat
3. set PerformPeriodicChange to yes
4. set FromHour to 1 hour (1:00 AM)
5. set ToHour to 3 hour (3:00AM)
6. set interval to 59 minutes ((Range in minutes [ToHour-FromHour] / 2) -1)
Or based on kb : https://cyberark-customers.force.com/s/article/CPM-Password-Not-Rotating-Daily
The password should change between the hours of 23:00 and 24:00, daily. The Master policy “Require password change every X day” is set to 1 day.
1. HeadStartInterval
– This should be less than the ExpirationPeriod / Require password change every X days. In the example of the password rotating daily, this should be set to 0.
2. PerformPeriodicChange
– As this allows the account to be managed by the Master Policy “Require password change every X days”. In the example where “Require password change every X days” is set to 1, this should be set to Yes.
3. Interval (The number of minutes that the Central Policy Manager waits between running periodic searches for the platform. Default is 1440 minutes = 24 hours)
– To help facilitate the change happening, we typically recommend using the formula of ((window/2)-1). In the example where ‘FromHour’=23 and ‘ToHour’=24 (1-hour window or 60 minutes), then the ‘Interval’ setting for that policy file should be ((window/2)-1) which is ((60 minutes/2)-1) = (30-1) = 29. The Interval should be set to 29.
CPM Change Password Failed
ExpirationPeriod
Failure Description: Error in changepass to user 51sec.org\testAdmin on domain 51sec.org(\\51secSRV11).(winRc=2245) The password does not meet the password policy requirements
Check the minimum password length
password complexity and password history requirements
CPM
Group policy limited password minimum change time is 24 hours.
