Managed Microsoft AD User
Rotating Google Cloud Managed Microsoft AD Service accounts with Keeper
Overview
In this guide, you will learn how to rotate User Accounts of a Google Cloud Managed Microsoft AD service using Keeper Rotation. The Active Directory Service is an AWS managed resource where the Directory Service admin credentials are linked to the PAM Directory record type and the configurations of the AD Users are defined in the PAM User record type.
User Account passwords will be rotated using LDAP and, in order to successfully rotate, server-side LDAPS must be configured and the Directory Admin, defined in the PAM Directory record type, must be using a SSL Connection.
Prerequisites
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your Google Cloud Directory Services
Your Google Cloud environment is configured per our documentation
1. Set up a PAM Directory Record
Keeper Rotation will use the linked admin credentials of your AWS Managed Directory Service to rotate passwords of Domain Service's directory accounts. These admin credentials can also be used to rotate the passwords of the Directory admin.
The following table lists all the required fields on the PAM Directory Record:
Title
Name of the Record i.e. AD Domain Service
Hostname or IP Address
The Directory DNS Name i.e. ad.pam.test
Port
636 for LDAPS
Use SSL (checkbox)
Must be checked
Administrative Credentials
PAM User providing the directory service admin account and password i.e. Admin
Note: Either Login and Domain Name or Distinguished Name is required. Distinguished Name is preferred.
Distinguished Name
Directory Service Admin Account's Distinguished Name (DN).
Example: CN=jsmith,OU=Cloud,DC=example,DC=com
Note: If DN is not provided, the following format will be used:
Given domain name is example.com:
CN=<user>,CN=Users,DC=example,DC=com
Domain Name
The Directory DNS Name Note: This is required if using Login instead of Distinguished Name
Directory ID
Directory Service's Identifier i.e d-##########
Directory Type
Directory Service Directory type, defaults to Active Directory if left blank.
Provider Region
Google Cloud region name i.e. us-east1
This PAM Directory Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
2. Set up PAM Configuration
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: GCP Workspace Configuration
Environment
Select: Google Cloud
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application.
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
GCP ID
A unique ID for this instance of Google Cloud. This is only for your reference and can be anything, but its recommended to be kept short
Ex: GCP-DepartmentName
Service Account Key
Copy the JSON text of the service account key of the Gateway
For more details on all the configurable fields in the PAM Configuration record, visit this page.
3. Set up one or more PAM User Records
Keeper Rotation will use the credentials in the PAM Directory record to rotate the PAM User records on your GCP environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. AWS Directory User1
Login
Username of the Directory Service's user account
Password
Account password is optional, rotation will set one if blank
Distinguished Name
Directory Service User Account's Distinguished Name (DN)
4. Configure Rotation on the PAM User records
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Directory credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Troubleshooting
Getting the Distinguished Names of GCP Managed Directory Service Users
The following windows command can be used to get the distinguished name of the Directory user:
Get-ADUser -Identity "username" | Select-Object -ExpandProperty DistinguishedNameIf the command does not exist, you need to import the appropriate module with:
Import-Module ActiveDirectoryLast updated
Was this helpful?