Least privileges for Active Directory password

With a PAM Provider account, Devolutions Server allows to rotate account passwords. In Active Directory, having a domain administrator account as the provider can be a bit overkill for password rotation. The following article described the steps to create an Active Directory account that will be used as a PAM Provider and have the ability to rotate passwords in Active Directory.

To manage domain administrator accounts as privileged accounts in the PAM module, the PAM AD provider must be part of the domain administrator groups. Then no need to follow these instructions.


  1. Open the Active Directory Users and Computers console.

  2. Select the Organizational Unit (OU) in which the privileged accounts are located or a higher OU level to encompass all OUs the PAM Provider account should have the ability to rotate account's passwords.

  3. From the OU's context menu, select Delegate Control.


  4. On the Welcome dialog, then click Next.


  5. In the Users or Groups dialog, select the account that will be used as the PAM Provider account in Devolutions Server Then click Next.


  6. In the Tasks to Delegate dialog, select the Create a custom task to delegate option. Then click Next.


  7. In the Active Directory Object Type dialog, select the Only the following objects in the folder option, check the User objects item. Then click Next.


  8. In the Permissions dialog, select the General option. Select Change password and Reset password items. Then unchecked the General option.


  9. Again in the Permissions dialog, select the Property-specific option. Find and select the following items:

    • Read lockout Time
    • Write lockout Time
    • Read pwdLastSet
    • Write PwdLastSet
    • Read user AccountControl
    • Write user AccountControl

    Then click Next


  10. Then click on the Finish button to complete the Delegation Control.


The password rotation feature will use the default built-in Devolutions Server password rules. To level-up the password rules to respect your domain password rules, create a password template in Administration - System Settings - Password Template Then set it as the default password template in Administration - System Settings Password Management - Password Template.

Give us Feedback