# Active Directory

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FD4pFTWlEuiTNgUy4pXoD%2FLocal%20Network%20rotations.jpg?alt=media&#x26;token=a54e5b3b-1dc1-4160-a142-d616e9c8f038" alt=""><figcaption></figcaption></figure>

## Overview

In this guide, you'll learn how to remotely rotate Active Directory user accounts using KeeperPAM.

## Prerequisites

This guide assumes the following tasks have already taken place:

* [Rotation enforcements](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/enforcement-policies) are configured for your role
* A Keeper Secrets Manager [application](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/applications) has been created
* Your [Keeper Gateway](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways) is online
* The Keeper Gateway is able to connect to your Active Directory via LDAPS (port 636)

### 1. Set up a PAM User Record

Keeper Rotation will use the credentials in this PAM User record to rotate other accounts in your directory. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FTdolMVL5fQvfl1hcbJeJ%2FScreenshot%202025-09-17%20101134.png?alt=media&#x26;token=601154ee-172d-4aab-ae03-7a34bf835af9" alt="PAM User record for AD Admin" width="362"><figcaption><p>PAM User record for AD Admin</p></figcaption></figure>

{% hint style="info" %}
The PAM User record needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
{% endhint %}

#### PAM User Record Fields

<table><thead><tr><th width="194.5">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Record Type</strong></td><td>PAM User</td></tr><tr><td><strong>Title</strong></td><td>Keeper record title</td></tr><tr><td><strong>Login</strong></td><td>The username of the Active Directory admin. The format of the username depends on the target system and type of service.<br><br>Examples:<br><code>Administrator Administrator@domain.local</code></td></tr><tr><td><strong>Password</strong></td><td>Password of the admin user on the Active Directory.</td></tr><tr><td><strong>Distinguished Name</strong></td><td>Full Distinguished Name (DN) of the admin user on the Active Directory.</td></tr></tbody></table>

### 2. Set up a PAM Configuration

A [PAM Configuration](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-configuration) associates an environment with a Keeper Gateway and credentials. If you don't have a PAM Configuration set up yet for this use case, create one.

<table><thead><tr><th width="200">Field</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>Title</strong></td><td>Configuration name, example: <code>My Active Directory</code></td><td></td></tr><tr><td><strong>Environment</strong></td><td>Select: <code>Domain Controller</code></td><td></td></tr><tr><td><strong>Gateway</strong></td><td>Select the Gateway that has access to your directory server</td><td></td></tr><tr><td><strong>Application Folder</strong></td><td>Select the Shared folder that contains the PAM User record created in step 1.</td><td></td></tr><tr><td><strong>Administrative Credential</strong></td><td>Select the PAM User record created in step 1.</td><td></td></tr><tr><td>Hostname or IP Address</td><td>Enter the domain or IP address of your Active Directory domain.</td><td></td></tr><tr><td>Port</td><td>Enter 636 (LDAPS). 389 LDAP is not supported for rotations.</td><td></td></tr><tr><td>Use SSL</td><td>Ensure this checkbox is checked.</td><td></td></tr></tbody></table>

### 3. Set up PAM User records

KeeperPAM will use the credentials linked from the PAM User record to rotate other PAM User records in your environment. The PAM User credential needs to be saved in a shared folder that is assigned to the secrets manager application. In the example below, the AD user `demouser` can be rotated.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FlksgxWGHiHXbBOAOGr4R%2FScreenshot%202025-01-09%20at%2011.31.03%E2%80%AFAM.png?alt=media&#x26;token=ef96dd4c-6680-4306-b41f-03ada975a768" alt=""><figcaption><p>Example of Active Directory account password rotation</p></figcaption></figure>

#### PAM User Record Fields

<table><thead><tr><th width="194.5">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Record Type</strong></td><td>PAM User</td></tr><tr><td><strong>Title</strong></td><td>Keeper record title, e.g. <code>AD User - demouser</code></td></tr><tr><td><strong>Login</strong></td><td>Username of the account being rotated. The format of the username depends on the target system and type of service.<br><br>Examples:<br><code>demouser</code><br><code>demouser@domain.local</code></td></tr><tr><td><strong>Password</strong></td><td>Account password is optional. In most cases, a password rotation will not require the existing password to be present. However there are some scenarios and protocols which may require it.</td></tr><tr><td><strong>Distinguished Name</strong></td><td>The LDAP DN for the user, e.g.<br><code>CN=Demo User,CN=Users,DC=lureydemo,DC=local</code></td></tr></tbody></table>

If you don't know the user's DN, the following PowerShell command can be used to find it:

```
Get-ADUser -Identity <username> -Properties DistinguishedName
```

### 4. Configure Rotation on the Record

Select the PAM User record, edit the record and open the Password Rotation Settings.

Any user with edit rights to a PAM User record and [enforcement policies](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/enforcement-policies) allowing rotation has the ability to set up rotation for that record.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F7H7cHgj2DnmNuyxmFPnG%2FScreenshot%202025-09-17%20102435.png?alt=media&#x26;token=4ba11b31-4f97-4fac-aebc-4fad83fad8d3" alt="PAM User scheduled rotations" width="323"><figcaption><p>PAM User scheduled rotations</p></figcaption></figure>

* The "Rotation" should be of type `IAM User`.
* The "PAM Configuration" field should point to the Active Directory PAM Configuration created in step 2.
* Select the desired schedule and password complexity.
* Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

### Troubleshooting

An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FKD087si6y6fF3dbuFWpy%2FScreenshot%202023-04-07%20at%2010.56.21%20AM.png?alt=media&#x26;token=6e360d49-856c-451a-816e-2b1490d44557" alt=""><figcaption><p>Testing and LDAP connection with LDP.exe</p></figcaption></figure>

### Testing with a Self-Signed Cert

For the purpose of testing an Active Directory user account rotation with Keeper, it is necessary to ensure that the LDAPS connection is active and using a valid certificate. If you are just testing and don't have a production certificate, the instructions below provide you with a self-signed cert.

{% hint style="warning" %}
Using a self-signed certificate with AD is only for testing purposes, do not use in production
{% endhint %}

{% stepper %}
{% step %}
**Create a cert**

From PowerShell running as an administrator, create a self-signed cert. Note that the subject name and alternate names of the certificate must match with the server hostname. In this example, the primary name is `XYZ123.company.local` with alternate names `company.local` and `company`.

{% code overflow="wrap" %}

```
New-SelfSignedCertificate -DnsName XYZ123.company.local,company.local,company, -CertStoreLocation cert:\LocalMachine\My
```

{% endcode %}
{% endstep %}

{% step %}
**Install the cert**

This script will locate the cert in the personal section of the certificate manager and copy it into the trusted domains. Replace the `company` parameter in the first line of this script with the domain in step 1.

{% code overflow="wrap" %}

```
# Get the cert we just created
$cert = Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Subject -like "*company*"}
$thumbprint = ($cert.Thumbprint | Out-String).Trim()

# Copy to NTDS through registry
$certStoreLoc = 'HKLM:/Software/Microsoft/Cryptography/Services/NTDS/SystemCertificates/My/Certificates'
if (!(Test-Path $certStoreLoc)) {
    New-Item $certStoreLoc -Force
}
Copy-Item -Path HKLM:/Software/Microsoft/SystemCertificates/My/Certificates/$thumbprint -Destination $certStoreLoc

# Copy to Trusted Root store
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::Root, 'LocalMachine')
$rootStore.Open('ReadWrite')
$rootStore.Add($cert)
$rootStore.Close()
```

{% endcode %}
{% endstep %}

{% step %}
**Restart NTDS**

After restarting the NTDS service, the certificate should be installed.

```
Restart-Service NTDS -force
```

{% endstep %}

{% step %}
**Check the connectivity**

Run 'LDP.exe' and make sure that you're able to connect to the local domain over port 636 with SSL enabled.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FEqolqHYLiMQnY7X8DaQT%2FScreenshot%202025-01-09%20at%2011.45.17%E2%80%AFAM.png?alt=media&#x26;token=e57fca91-d32d-46f9-9744-cc828d6cdc29" alt=""><figcaption><p>Connect using LDP.exe</p></figcaption></figure>
{% endstep %}
{% endstepper %}