User management in Windows

The following table explains how Okta Privileged Access manages users on Windows servers.

Area Notes
Usernames Usernames can contain lowercase letters (a-z), numbers (0-9), dashes (-), and underscores (_), can't be a reserved name, and have a maximum length of 20 characters. In the event a username collision occurs, an attempt is made to differentiate between users by appending a number to the server username.
Server account permissions The permissions that users are assigned when they log into server resources with their individual accounts are restricted to end user, non-administrative permissions.
User creation Users with access permission are added to the Remote Desktop Users group if they don't already belong to it. User accounts are created and configured with standard native calls such as NetUserAdd and NetUserSetInfo, and have the following UserAccountControl attribute flags set: UF_SCRIPT, UF_PASSWD_CANT_CHANGE, UF_NORMAL_ACCOUNT, and UF_DONT_EXPIRE_PASSWD.
User updates Standard local user management system calls are used. For example, NetLocalGroupDelMembers and NetLocalGroupAddMembers.
User deletion

Users are deleted with NetUserDel.

When a user is removed from an Okta Privileged Access project or an on-demand user account expires, the associated user profile and home directory are removed from servers enrolled in the project. This also removes any data stored within the home directory.

Read system state Standard native calls are made to read the state of local user accounts on the system such as NetUserEnum, NetLocalGroupGetMembers, LookupAccountSidW, WTSEnumerateSessions, and WTSQuerySessionInformation.