> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/pam/knowledge-base/how-to-articles/quickly-deploy-ad-pam-in-your-environment.md).

# Quickly deploy AD PAM in your environment

This guide walks you through the steps to set up Devolutions PAM in your environment quickly, so you can protect privileged accounts, enforce policies, and gain control over sensitive access with minimal configuration time.

### Devolutions Server (self-hosted)

1. Configure a [PAM Domain service account](https://docs.devolutions.net/pam/kb/how-to-articles/least-permission-jit-group-elevation/).

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>The PAM Domain service account will be required at a later stage. Make sure to keep the username and password handy.</p></div>
2. An optional step is to create a test account for PAM.
3. Make sure the [Scheduler service](https://docs.devolutions.net/server/kb/knowledge-base/scheduler-service-general-information/) is running.
4. Configure your[ PAM domain provider](https://docs.devolutions.net/pam/server/providers/) in Devolutions Server by going to ***Administration*** – ***Privileged access*** – ***Providers***.
5. Click the plus sign in the top right to add a new provider.
6. Select ***Domain user*** and continue.
7. Enter the required configuration and specify the Domain service account created in step 1. Click ***Save***.
8. Set up the account discovery configuration (prompted when saving the PAM provider).
9. Select the OUs where the privileged account (or test account) is located.
10. Check ***Start scan on save*** under ***Actions.*** Click ***Save.***
11. Open the provider’s properties and navigate to the ***Checkout policy*** tab.
12. Create a [check-out policy](https://docs.devolutions.net/pam/pam-with-devolutions-cloud/providers/domain-provider/#checkout-policy) and a [PAM ***vault***](https://docs.devolutions.net/pam/server/pam-vaults/).
13. [Import accounts](https://docs.devolutions.net/pam/server/getting-started/import-accounts-scan-configuration/) from the ***Scan*** (see table below).
14. [Configure an entry](https://docs.devolutions.net/pam/kb/how-to-articles/configure-pam-credentials/) to use the PAM account.

Here is the risk level associated with each account discovered during a scan.

| Group name                      | Privilege tier | Description                                                   |
| ------------------------------- | -------------- | ------------------------------------------------------------- |
| **Domain admins**               | Tier 0         | Full control over domain resources.                           |
| **Enterprise admins**           | Tier 0         | Full control over forest-wide configuration.                  |
| **Schema admins**               | Tier 0         | Can modify the AD schema.                                     |
| **Administrators**              | Tier 0         | Built-in administrators on all domain controllers.            |
| **Account operators**           | Tier 1         | Can manage user/group accounts. Risk of privilege escalation. |
| **Server operators**            | Tier 1         | Can log on locally to DCs and manage services.                |
| **Backup operators**            | Tier 1         | Can back up protected system files; often overlooked.         |
| **Group policy creator owners** | Tier 1         | Can create/edit GPOs —can introduce persistence.              |
| **DNS admins**                  | Tier 1         | Can control DNS zones —potential for domain spoofing.         |

### Devolutions Cloud (Cloud)

1. Configure a [PAM Domain service account](https://docs.devolutions.net/pam/kb/how-to-articles/least-permission-jit-group-elevation/).

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>The PAM Domain service account will be required at a later stage. Make sure to keep the username and password handy.</p></div>
2. An optional step is to create a test account for PAM.
3. Install the [PAM service](https://docs.devolutions.net/pam/pam-with-devolutions-cloud/pam-service/).
4. Configure your[ PAM domain provider](https://docs.devolutions.net/pam/server/providers/) in Devolutions Cloud by going to ***Administration*** – ***Privileged access*** – ***Providers***.
5. Click the plus sign in the top right to add a new provider.
6. Select ***Domain user*** and continue.
7. Enter the required configuration and specify the Domain service account created in step 1. Click ***Save***.
8. Open the provider’s properties and navigate to the ***Checkout policy*** tab.
9. Create a [check-out policy](https://docs.devolutions.net/pam/pam-with-devolutions-cloud/providers/domain-provider/#checkout-policy) and a PAM vault by clicking ***Add vault***.
10. [Configure an entry](https://docs.devolutions.net/pam/kb/how-to-articles/configure-pam-credentials/) to use the PAM account.
11. Run the ***Account discovery*** next to the provider (see table below).
12. Select the OUs where the privileged account (or test account) is located.
13. After selecting the destination, security, and password settings, click ***Import***.

Here is the risk level associated with each account discovered during an ***Account discovery***.

| Group name                      | Privilege tier | Description                                                   |
| ------------------------------- | -------------- | ------------------------------------------------------------- |
| **Domain admins**               | Tier 0         | Full control over domain resources.                           |
| **Enterprise admins**           | Tier 0         | Full control over forest-wide configuration.                  |
| **Schema admins**               | Tier 0         | Can modify the AD schema.                                     |
| **Administrators**              | Tier 0         | Built-in administrators on all domain controllers.            |
| **Account operators**           | Tier 1         | Can manage user/group accounts. Risk of privilege escalation. |
| **Server operators**            | Tier 1         | Can log on locally to DCs and manage services.                |
| **Backup operators**            | Tier 1         | Can back up protected system files; often overlooked.         |
| **Group policy creator owners** | Tier 1         | Can create/edit GPOs —can introduce persistence.              |
| **DNS admins**                  | Tier 1         | Can control DNS zones —potential for domain spoofing.         |

{% hint style="info" %}
Read [Enable Just-in-Time elevation and provisioning](https://docs.devolutions.net/pam/kb/how-to-articles/quickly_deploy_ad_pam_in_your_environment/enable-jit-pam/) to grant temporary privileged access on demand.
{% endhint %}

#### See also

* [Devolutions Academy – Devolutions PAM](https://academy.devolutions.net/student/path/2354099)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/pam/knowledge-base/how-to-articles/quickly-deploy-ad-pam-in-your-environment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.