> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/pam/knowledge-base/how-to-articles/create-a-windows-user-provider.md). # Create a Windows user provider This guide provides steps to create a ***Windows user*** provider to manage Windows local accounts in the PAM module of Devolutions Server. {% hint style="info" %} * The [Scheduler service](https://docs.devolutions.net/server/kb/knowledge-base/scheduler-service-general-information/) must be installed and running to use this feature. * If you use a different administrator than the default built-in one, you need to enable the "User Account Control: Admin Approval Mode for the Built-in Administrator account" policy. See Microsoft's article for more information: [Description of User Account Control and remote restrictions in Windows Vista](https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction). {% endhint %} 1. Ensure that WinRM is properly configured and that all remote machines are added in the Trusted Hosts list as stated in [WinRM and trusted hosts list](https://docs.devolutions.net/server/kb/how-to-articles/winrm-trustedhostslist/). 2. Create a local account on the remote host that will be managed by the PAM module as a privileged account. The local accounts must have the ***User cannot change password*** option enabled to avoid problems with the synchronization of the password in the Privileged Access module. If this account needs to have administrative rights, then add it to the local Administrators group. 3. Go in ***Privileged access – Providers*** on the Devolutions Server web interface to add a Windows users provider. 4. Set the Name of the provider; Set the Computer name and Domain information of the remote host in the Host section; Set the Username and Password values for the provider account in the Credentials section. This account must have proper administrative rights on the host to manage local user accounts. In this sample, is a domain account that is a member of the local Administrators group of the remote host. 5. With the ***Add a new account discovery configuration*** option enabled, create the account discovery configuration to scan for local accounts. The built-in Administrator account cannot be managed by the Privileged Access module because of the option mentioned in step 3 above that cannot be enabled. 6. Once the scan is completed, a list of accounts is available. Click on the Eye button to see the discovered accounts. 7. Select the account that will be managed and click on the ***Import selected accounts*** button. 8. Select the folder where the account will be located in ***Privileged access – Accounts page***. 9. On success, this prompt box should be displayed on the top right corner. 10. The account is now available in the folder. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/pam/knowledge-base/how-to-articles/create-a-windows-user-provider.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.