> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/pam/knowledge-base/how-to-articles/quickly-deploy-ad-pam-in-your-environment/enable-just-in-time-elevation-and-provisioning.md).

# Enable just-in-time elevation and provisioning

After [deploying AD PAM in your environment](https://docs.devolutions.net/pam/kb/how-to-articles/quickly_deploy_ad_pam_in_your_environment/), you can enable Just-in-Time elevation and provisioning to grant temporary privileged access on demand.

#### Just-in-Time elevation

1. Add the [permission to create user groups](https://docs.devolutions.net/pam/kb/how-to-articles/least-permission-jit-group-elevation/) to your PAM domain provider account in AD.
2. Identify the user groups in AD you would like to be available for Just-in-Time elevation.
3. Back in Devolutions Server or Devolutions Cloud, go to ***Administration*** – ***Privileged access*** – ***Providers***, and click ***Edit*** on your PAM provider.
4. Select the ***JIT privilege elevation*** section on the left menu.
5. Select the user group identified earlier.
6. If you would like to limit the JIT access to specific accounts, click ***Enable Privilege Sets***.
7. Add a prefix to the group name, such as `DVLS-JIT-`*.*
8. Select a location for the temporary groups to be created.
9. If you have multiple DC, configure a ***Replication latency*** to make sure the JIT has time to replicate between all DCs. Click ***Save***.

#### Just-in-Time provisioning

1. Open the Active Directory User and Computers (ADUC) console, right-click on the organizational unit (OU) containing your PAM account, and select ***Delegate Control...***.
2. Follow the wizard, and make sure to check the ***Create, delete, and manage user accounts*** permission during the task delegation step.

   <div data-gb-custom-block data-tag="hint" data-style="success" class="hint hint-success"><p>For least privileges purposes, you can <em><strong>Create a custom task</strong></em> <em><strong>to delegate</strong></em> to add only the minimal permissions required to create users in AD.</p></div>
3. Back in Devolutions Server or Devolutions Cloud, go to ***Administration*** – ***Privileged access*** – ***Providers***, and click ***Edit*** on your PAM provider.
4. Open the ***JIT privilege elevation*** tab, and select the user group identified earlier.
5. Choose a location for the temporary users to be created.
6. If you have multiple Domain controllers (DCs), configure ***Replication latency*** to give JIT changes enough time to replicate across all DCs, and click on ***Save***.
7. In your [PAM ***vault***](https://docs.devolutions.net/pam/server/pam-vaults/), add a new domain user.
8. Enter the username for the account.
9. Check the ***Just-In-Time (JIT) account*** check box, and click ***Save***.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/pam/knowledge-base/how-to-articles/quickly-deploy-ad-pam-in-your-environment/enable-just-in-time-elevation-and-provisioning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.