Least privileges for Active Directory password rotation

On this page

Devolutions Server allows account passwords rotation by using an Active Directory account as a PAM provider. This article describes the steps to delegate control to said PAM provider in the Active Directory Users and Computers console.

To manage domain administrator accounts as privileged accounts in the PAM module, grant the PAM AD provider account access to the AdminSDHolder. See Creating Management Accounts for Protected Accounts and Groups in Active Directory for step-by-step instructions.

Steps

  1. Open the Active Directory Users and Computers console.
  2. Right-click on the Organizational Unit (OU) containing the privileged accounts or a higher OU level to encompass all OUs in which the PAM provider account should have the ability to rotate account passwords, and select Delegate Control....

Delegate Control... option
Delegate Control... option

  1. In the Delegation of Control Wizard, click on Next to reach the Users or Groups dialog. There, choose the account to use as the PAM provider account in Devolutions Server before clicking on Next.

Choose PAM provider
Choose PAM provider

  1. In Tasks to Delegate, select Create a custom task to delegate, and click on Next..

Create a custom task to delegate option
Create a custom task to delegate option

  1. In Active Directory Object Type, select the Only the following objects in the folder option, and check the User objects item. Then click Next.

Active Directory Object Type
Active Directory Object Type

  1. In Permissions, show General and Property-specific permissions, and check the following items before clicking on Next:
  • Change password
  • Reset password
  • Read lockout Time
  • Write lockout Time
  • Read pwdLastSet
  • Write PwdLastSet
  • Read userAccountControl
  • Write userAccountControl

Enable General and Property-specific permissions
Enable General and Property-specific permissions

  1. Review the changes as neccessary and click on the Finish button to complete delegating control.

Review changes and complete delegation of control
Review changes and complete delegation of control

The password rotation feature will use the default built-in Devolutions Server password rules. To level up the password rules to respect domain password rules, create a password template in Administration – Password templates, then set it as the default password template in Administration System settings Password management Password template.

Devolutions Forum logo Give us Feedback