Devolutions Server allows just-in-time (JIT) group elevation by using an Active Directory account as a PAM provider. This article describes the steps to delegate control to said PAM provider in the Active Directory Users and Computers console.
To manage domain administrator accounts as privileged accounts in the PAM module, grant the PAM AD provider account access to the AdminSDHolder. See Creating Management Accounts for Protected Accounts and Groups in Active Directory for step-by-step instructions.
Open the Active Directory Users and Computers console.
Right-click on the Organizational Unit (OU) containing the privileged accounts or a higher OU level to encompass all OUs in which the PAM provider account should have the ability to rotate account passwords, and select Delegate Control....
In the Delegation of Control Wizard, click on Next to reach the Users or Groups dialog. There, choose the account to use as the PAM provider account in Devolutions Server before clicking on Next.
In Tasks to Delegate, select Create a custom task to delegate, and click on Next.
In Active Directory Object Type – Only the following objects in the folder, select the Group objects item. Then, tick both Create selected objects in this folder and Delete selected objects in this folder checkboxes, and click on Next.
In Permissions, tick the Property-specific checkbox. Find and enable the Write Members permission, and click on Next.
Click the Finish button to complete te delegation process.