> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/pam/knowledge-base/how-to-articles/least-privileges-for-active-directory-providers.md).
# Least privileges for Active Directory providers
Devolutions Server allows [just-in-time (JIT) group elevation](https://docs.devolutions.net/pam/kb/how-to-articles/least-permission-jit-group-elevation/#jit-group-elevation) and [password rotation](https://docs.devolutions.net/pam/concepts/password-rotation/) by using an Active Directory account as a PAM provider. Read the instructions below to learn how to delegate control to said PAM provider in the Active Directory Users and Computers (ADUC) console.
{% hint style="info" %}
To manage domain administrator accounts as privileged accounts in the PAM module, you must grant the PAM AD provider account access to the **AdminSDHolder** object. For detailed steps, see [Creating Management Accounts for Protected Accounts and Groups in Active Directory](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/appendix-i--creating-management-accounts-for-protected-accounts-and-groups-in-active-directory?source=recommendations).
{% endhint %}
### JIT group elevation
1. Open the Active Directory Users and Computers (ADUC) console.
2. Right-click on the organizational unit (OU) containing the groups for the privileged accounts (or on a higher OU level to encompass all OUs in which the PAM provider account should have the ability to change group memberships), and select ***Delegate Control...***
{% hint style="info" %}
Make sure to repeat this steps for the OU in which the temporary groups are created.
{% endhint %}
3. In the Delegation of Control Wizard, click on ***Next*** to reach the ***Users or Groups*** dialog. Click on ***Add*** or select the account to use as the PAM provider account in Devolutions Server.
4. Enter the object name to select, then click on ***Check Names***. Click ***OK*** to confirm.
5. Click ***Next***.
6. In ***Tasks to Delegate***, select ***Create a custom task to delegate***, then click ***Next***.
7. In ***Active Directory Object Type***, select***Only the following objects in the folder***, then check the ***Group objects*** item. Then, tick both ***Create selected objects in this folder*** and ***Delete selected objects in this folder*** checkboxes, and click on ***Next***.
8. In ***Permissions***, only tick the ***Property-specific*** checkbox. Find and enable the ***Write Members*** permission, then click on ***Next***.
9. Verify that the correct permission has been delegated, then click ***Finish*** to complete the process.
### Password rotation
1. Open the Active Directory Users and Computers (ADUC) console.
2. Right-click on the organizational unit (OU) containing the privileged accounts (or on a higher OU level to encompass all OUs in which the PAM provider account should have the ability to rotate account passwords), and select ***Delegate Control...***
3. In the Delegation of Control Wizard, click on ***Next*** to reach the ***Users or Groups*** dialog. Click on ***Add*** or select the account to use as the PAM provider account in Devolutions Server.
4. Enter the object name to select, then click on ***Check Names***. Click ***OK*** to confirm.
5. Click ***Next***.
6. In ***Tasks to Delegate***, select ***Create a custom task to delegate***, then click ***Next***.
7. In ***Active Directory Object Type***, select***Only the following objects in the folder***, then check the ***User objects*** item. Then, tick both ***Create selected objects in this folder*** and ***Delete selected objects in this folder*** checkboxes, and click on ***Next***.
8. In ***Permissions***, tick both the ***General*** and ***Property-specific*** checkboxes. Find and enable the following permissions, then click on ***Next***.
* ***Change password***
* ***Reset password***
* ***Read lockout Time***
* ***Write lockout Time***
* ***Read pwdLastSet***
* ***Write PwdLastSet***
* ***Read userAccountControl***
* ***Write userAccountControl***
9. Verify that the correct permissions have been delegated, then click ***Finish*** to complete the process.
{% hint style="info" %}
The password rotation feature uses the default built-in Devolutions Server password rules. To enforce domain-specific password rules, create a custom password policy under ***Administration – Password policies***, then set it as the default password template in ***Administration*** – ***System settings*** – ***Password management*** – ***Password policies***.
{% endhint %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.devolutions.net/pam/knowledge-base/how-to-articles/least-privileges-for-active-directory-providers.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
