Quickly deploy AD PAM in your environment

Sur cette page

This guide walks you through the steps to set up Devolutions PAM in your environment quickly, so you can protect privileged accounts, enforce policies, and gain control over sensitive access with minimal configuration time.

Devolutions Server (self-hosted)

  1. Configure a PAM Domain service account.

    The PAM Domain service account will be required at a later stage. Make sure to keep the username and password handy.

  2. An optional step is to create a test account for PAM.

  3. Make sure the Scheduler service is running.

  4. Configure your PAM domain provider in Devolutions Server by going to AdministrationPrivileged accessProviders.

  5. Click the plus sign top right to add a new Provider.

  6. Select Domain user and continue.

  7. Enter the required configuration and specify the Domain service account created in step 1.

  8. Click Save.

  9. Set up the Scan configuration (prompted when saving the PAM provider).

  10. Select the OUs where the Privileged account (or test account) is located.

  11. Check Start scan on save under Actions.

  12. Click Save.

  13. Open the provider’s properties and navigate to the Checkout policy tab.

  14. Create a check-out policy.

  15. Create a PAM vault.

  16. Import accounts from the Scan.

  17. Here is the risk level associated with each account discovered during a scan.

Group name Privilege tier Description
Domain admins Tier 0 Full control over domain resources.
Enterprise admins Tier 0 Full control over forest-wide configuration.
Schema admins Tier 0 Can modify the AD schema.
Administrators Tier 0 Built-in administrators on all domain controllers.
Account operators Tier 1 Can manage user/group accounts. Risk of privilege escalation.
Server operators Tier 1 Can log on locally to DCs and manage services.
Backup operators Tier 1 Can back up protected system files; often overlooked.
Group policy creator owners Tier 1 Can create/edit GPOs —can introduce persistence.
DNS admins Tier 1 Can control DNS zones —potential for domain spoofing.

  1. Configure an entry to use the PAM account.

Just-in-Time elevation and Just-in-Time provisioning (optional)

Refer to this section if you want to enable Just-in-Time elevation and Just-in-Time provisioning in your PAM environment.

See also

Devolutions Forum logo Donnez-nous vos commentaires