You receive this error:
“Error in changepass to user domainuser on domain server(domain.(winRc=5) Access is denied.”
Which root cause should you investigate?

1. A. The account does not have sufficient permissions to change its own password.
2. B. The domain controller is unreachable.
3. C. The password has been changed recently and minimum password age is preventing the change.
4. D. The CPM service is disabled and will need to be restarted.

Correct Answer: A
The error message “Error in changepass to user domain\user on domain server(\domain.(winRc=5) Access is denied” suggests that the account attempting to change the password does not have the necessary permissions to do so. This could be due to several reasons, such as the account not being part of the appropriate group with password change privileges, or specific restrictions set on the account that prevent password changes. It’s important to verify the account’s permissions and ensure it has the ability to change its own password within the domain.
References: The conclusion is based on common issues encountered in CyberArk’s Privileged Access Management (PAM) when managing account passwords and the associated error codes. The CyberArk documentation and community discussions provide insights into troubleshooting such errors, where insufficient permissions are a frequent cause

As long as you are a member of the Vault Admins group, you can grant any permission on any safe that you have access to.

1. A. TRUE
2. B. FALSE

Correct Answer: B
Being a member of the Vault Admins group does not automatically grant you any permission on any safe that you have access to. The Vault Admins group is a predefined group that is created during the installation or upgrade of the vault. This group has the Vault Admin authorization, which allows its members to perform administrative tasks on the vault, such as managing users, groups, platforms, policies, and safes1. However, this authorization does not include any safe member authorizations, such as View, Retrieve, Use, or Manage Safe2. Therefore, to grant any permission on a safe, you need to be added as a safe member with the appropriate authorizations, either directly or through another group. The Vault Admins group can be added to safes with all safe member authorizations, but this is not done automatically for all safes. By default, this group is only added to a number of system safes, such as the Password Manager Safe, the PVWAConfig Safe, and the Notification Methods Safe3. For other safes, the Vault Admins group can be added manually by the safe owner or another user with the Manage Safe authorization4. References:
✑ 1: Predefined users and groups, Predefined groups subsection
✑ 2: [CyberArk Privileged Access Security Implementation Guide], Chapter 3: Managing Safes, Section: Safe Authorizations, Table 2-1: Safe Authorizations
✑ 3: What default groups can be automatically added to Safes when they are created?
✑ 4: [CyberArk Privileged Access Security Administration Guide], Chapter 3: Managing Safes, Section: Adding Safe Members

According to the DEFAULT Web Options settings, which group grants access to the REPORTS page?

1. A. PVWAUsers
2. B. Vault Admins
3. C. Auditors
4. D. PVWAMonitor

Correct Answer: C
According to the CyberArk Defender-PAM study guide, the REPORTS page is used to generate reports on various aspects of the CyberArk Privileged Access Management Solution, such as user activity, password usage, and compliance status. The default group that grants access to the REPORTS page is the Auditors group, which is a built-in group in the Vault that has the AuditUsers authorization. Members of the Auditors group can view and generate reports, but cannot modify them. References:
✑ CyberArk Defender-PAM study guide, page 17, section 3.2.1
✑ CyberArk Privileged Access Security Documentation, page 48, section 2.3.2.1

Accounts Discovery allows secure connections to domain controllers.

1. A. TRUE
2. B. FALSE

Correct Answer: B

You are concerned about the Windows Domain password changes occurring during business hours.
Which settings must be updated to ensure passwords are only rotated outside of business hours?

1. A. In the platform policy - Automatic Password Management > Password Change > ToHour & FromHour
2. B. in the Master Policy Account Change Window > ToHour & From Hour
3. C. Administration Settings - CPM Settings > ToHour & FromHour
4. D. On each individual account - Edit > Advanced > ToHour & FromHour

Correct Answer: B
To ensure that Windows Domain password changes occur outside of business hours, the settings that must be updated are found in the Master Policy under the Account Change Window section. Here, you can specify the ToHour and FromHour to define the time frame outside of which the passwords should be rotated. This setting allows you to control when password changes can occur, ensuring
that they do not interfere with business operations by taking place during non-business hours1.
References:
✑ CyberArk Docs - Set password policies