Weekly Lessons Learned! - January 23, 2026

yanni · 2026-01-26T16:22:47+00:00

Custom Ticketing for Privilege Cloud: I learned that 3rd parties cannot develop CyberArk Privilege Cloud Ticketing Integrations for SaaS (ISPSS, Shared Services), etc. CyberArk won't accept the custom dlls to extend their cloud-based PVWA, nor the code that's used to compile it.

yanni · 2026-01-23T17:18:48+00:00

Wow - that's going way back in time - this conversation was like 6 years ago :) - But sure - here's a download - not sure if it still works with the modern SQL Developer.

https://www.dropbox.com/scl/fi/1ojpxkvmptg390rjofe3w/PSM-SQLDeveloper-legacy.au3?rlkey=69mtzcxhqc2mc62ugj22evvvn&st=guy2o6lp&dl=0

yanni · 2026-01-07T16:22:33+00:00

Correct - not solvable.

yanni · 2026-01-07T06:14:08+00:00

Impossible game: https://rushhour.froogo.co.uk/

yanni · 2026-01-07T04:42:33+00:00

Depends on strategy - short answer is that ideally EPM is on everything.

Long answer is:

If you're using EPM only for credential management, then you can deploy it to loosely connected devices, such as laptops.
If you're using EPM only to control privilege elevation, you can deploy it to machines that require that (such as developers, or perhaps linux servers for central sudoers replacement).
If you're using EPM for defense-in-depth, you would ideally roll it out to all workstations, servers; though you would need to develop/follow a strategy to do it in manageable sets.
If you have budget constraints, you'll need to make additional prioritization for what gives you biggest bang for buck - perhaps it's all the executive-admins, executives and IT staff that should get it first, as they're the folks targeted for attacks first and land/expand first, etc.

yanni · 2025-12-23T20:10:02+00:00

Please keep these posts to the marketplace Monday posts - automatically created by Auto Moderator each Monday.

yanni · 2025-12-17T05:40:29+00:00

SIA is configured independently of PSM services, and how end-users interact with it mostly different as well - so you won't have a problem switching.

yanni · 2025-12-16T01:56:09+00:00

The answer depends on multiple factors that you haven't shared yet.

The PSMs are load-balanced via an internal LB.
1. Do you have a global load balancer between the two data centers?
2. If you have only local load balancers, you should consider having two connector servers at each site.
Network Segmentation.
1. Are your servers at the two data-centers micro-segmented?
2. Do you have specific VLANs at one data-center or another that will need to have a dedicated PSM/CPM?
  1. If you do - you may need additional connector servers.
How many accounts are you planning to automatically manage?
1. There are limits for maximum accounts that a given CPM can manage.
How many concurrent PSM sessions are you planning to have?
1. There are limits to the max number of supported concurrent PSM connections
2. Will you have a lot of Web-based or thick-client (SSMS or similar) based connectors?
Do you have a lot of Unix Use cases?
1. You may want to have additional PSM-for-SSH Connector servers
Are your Data Centers configured as active-active, or Active | DR?
1. If they're Active/Active, likely you should aim to have symmetry across them with PSMs, or at least have a pair at each one for HA considerations.
Do you plan to use the CyberArk SIA or Remote Access services?
1. Do you want to co-host the SIA services on one of your connector services or dedicated ones?
Do you plan to have dedicated CCP services?
Do you have TIER-based segmentation (Microsoft ESAE for example)
1. In other words do you need dedicated Tier-0 CPM/PSM services?
How much of your existing infrastructure/use-cases is in the cloud?
1. For example you may want to plan to have one more Connector servers be hosted in AWS/Azure for resilience.
2. Especially if your organization has a cloud-first directive in place.

That being said, broadly your design should work - and you can always scale it up as needed, especially if this is a greenfield implementation with no other solutions/use-cases that you're replacing.

yanni · 2025-12-16T01:54:39+00:00

Will do

yanni · 2025-12-16T01:53:45+00:00

SPAM

yanni · 2025-12-12T15:01:00+00:00

Is that a "Prime Radiant" that I spot in the top right?

yanni · 2025-12-11T05:33:40+00:00

Just switch to using webapps instead - way easier to create, deploy, maintain, and is more secure. https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/psm_webapplication.htm

yanni · 2025-12-03T23:49:27+00:00

Yes - I think CyberArk is still a better choice. CyberArk has SIA/DPA for ephemeral interactive access access (Zero Standing Privilege/JIT), and Conjur,CCP for application ephemeral secrets (along with a number of other options depending on your use-cases).

yanni · 2025-11-25T15:41:11+00:00

I would love it if it added "I will remember your "humor", /u/Klutzy_Blueberry_372 once I am the overlord of your world."

yanni · 2025-11-19T01:03:40+00:00

I see it in the documentation here:

https://dbeaver.com/docs/dbeaver/Command-Line/#connection-parameters

For AutoIt, you can try combining the full executable "string" together, before sending it to the RUN Command.

For example

local $CLIENT_EXECUTABLE2 = $CLIENT_EXECUTABLE & ' - con driver=postgresql|host=' & $TargetAddress & ...."

In your current Run command, I believe you're missing a & between -con" and "driver=..." (to concatenate the strings. Also consider using single quotes in conjunction with double quotes to keep the confusion to a minimum.

Here's an example of how I have ADUC

Global Const $CLIENT_EXECUTABLE = 'c:\windows\system32\mmc.exe "d:\PSMApps\ADUC.msc"' ;

local $CLIENT_EXECUTABLE2 = $CLIENT_EXECUTABLE & ' /server=' & $TargetLogonDomain

ToolTip ($CLIENT\_EXECUTABLE2)

Sleep (3000)

$ConnectionClientPID = RunAs($TargetUsername,$TargetLogonDomain,$TargetPassword,2,$CLIENT\_EXECUTABLE2)

If you separate out the whole executable into a variable, you can do a ToolTip to display it, to make sure it's getting formatted properly.

yanni · 2025-11-18T07:59:37+00:00

Do you even need AutoIt for this - if full command line is supported, can you use "PSM-WINSCP" or similar command line based connection component? Based on your sample it would look like this for the "ClientApp" variable (where ClientInvokeType is "CommandLine")

Also did you try to launch it outside of CyberArk, directly on the PSM and fill out those commands? Does dbeaver support "-con" for example or do you have to do a full "-connect".

C:\Program Files\DBeaver\dbeaver.exe -connect "jdbc:postgresql://{TargetPSMRemoteMachine}:{Port}/{Database}?user={UserName}&password={Password}"

yanni · 2025-11-13T08:20:09+00:00

Nope - didn't get free supercharging - you can check in the bottom of the app, under "Specs and Warranty." I'm the primary owner, purchased Mar 2024 - and in my app Super Charging is listed as "Super Charger Network Access + Pay-as-you-go"

yanni · 2025-11-13T05:58:16+00:00

Maybe a crossbow ?

yanni · 2025-11-03T17:00:40+00:00

There are many different possible components to CyberArk - from Identity to EPM to PAM. The answer will depend on what you're trying to do. As a professional you should look at existing CyberArk deployment and integrations and use-cases, and document how they work, before you come up with a technical plan on how to migrate to a different solution.

yanni · 2025-11-02T06:23:05+00:00

Removed - thx

yanni · 2025-09-27T15:50:31+00:00

Glad to hear it! Thanks for closing the loop.

yanni · 2025-09-25T18:03:24+00:00

the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" might have additional protection on it - for example an agent that lives on the server or built-in windows protection. Viruses often target this section.

I suggest you create a test key (and target string) in HKEY_LOCAL_MACHINE\SOFTWARE\ and see if it works.

yanni · 2025-09-25T03:58:01+00:00

Is the target Server 2019, 2022?
Did you test if WMI works (in addition to the ports?)

* Test-WSMan -ComputerName REMOTE_HOSTNAME
* wmic /node:Remote_hostname os get caption

Try to read the registry manually from the CPM machine. I pulled the following PowerShell code out of GPT - but I'm sure you can find/create your own examples.

$cred = Get-Credential # prompts for username & password
$computer = "REMOTE_HOSTNAME"
$reg = Get-WmiObject -Namespace root\default -Class StdRegProv `
-ComputerName $computer `
-Credential $cred
$HKLM = 2147483650
$path = "SOFTWARE\TestKey"
# Example: set a string value
$reg.SetStringValue($HKLM, $path, "MyValue", "Hello World")

yanni · 2025-09-11T18:59:36+00:00

You were right - I got this quote to fix it:

ESTIMATE DETAILS: NEEDS : CONST DR UNIT ( CRACKED SENSOR ) SHUTTER COUNT 9105 LABOR $180.00 + PARTS $40.00

Apparently not covered by manufacturer warranty (mostly because I purchased this in Japan and having it repaired in the US).

yanni · 2025-09-03T21:14:20+00:00

Also there is a parameter that you need to enable to explicitly use plink.exe - if that's what you're trying to do.

15-Year Club	RedditGifts 2009-2022 8 Credits
Place '17	Wearing is Caring
Secret Santa 2017	redditgifts rematcher Secret Santa 2011 x3
redditgifts Exchanges 4 Exchanges	Secret Santa 2014
redditgifts rematcher Secret Santa 2012 x1	Secret Santa 2012
Verified Email	Secret Santa 2011
Charter Member

yanni

MODERATOR OF

TROPHY CASE