# Managed Microsoft AD User

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F37orTjzRRK23pCO2bVcX%2FDirectory%20User.jpg?alt=media&#x26;token=d24de70d-6d13-48ce-af78-36ea0e66b873" alt=""><figcaption></figcaption></figure>

## Overview

In this guide, you will learn how to rotate Admin and User Accounts of an AWS Managed Microsoft AD service using Keeper Rotation. The Active Directory Service is an AWS managed resource where the Directory Service admin credentials are linked to the **PAM Directory** record type and the configurations of the AD Users are defined in the **PAM User** record type.

For Amazon Managed Active Directory Services, the AWS SDK will be used to rotate the password of Directory Admins. User Account passwords will be rotated using LDAP and, in order to successfully rotate, server-side LDAPS must be configured and the Directory Admin, defined in the **PAM Directory** record type, must be using a SSL Connection.

## Prerequisites

This guide assumes the following tasks have already taken place:

* Keeper Secrets Manager is enabled for your [role](/keeperpam/privileged-access-manager/getting-started/enforcement-policies.md#secrets-manager)
* Keeper Rotation is enabled for your [role](/keeperpam/privileged-access-manager/getting-started/enforcement-policies.md#keeper-rotation)
* A Keeper Secrets Manager [application](/keeperpam/privileged-access-manager/getting-started/applications.md) has been created
* A Keeper Rotation [gateway](/keeperpam/privileged-access-manager/getting-started/gateways.md) is already installed, running, and is able to communicate with your AWS Directory Services
* Your AWS environment is [configured](/keeperpam/privileged-access-manager/getting-started/pam-configuration/aws-environment-setup.md) per our documentation

## 1. Set up a PAM Directory Record

Keeper Rotation will use the linked admin credentials of your AWS Managed Directory Service to rotate passwords of Domain Service's directory accounts. These admin credentials can also be used to rotate the passwords of the Directory admin.

The following table lists all the **required** fields on the **PAM Directory** Record:

<table><thead><tr><th width="233">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Title</strong></td><td>Name of the Record i.e. <code>AD Domain Service</code></td></tr><tr><td><strong>Hostname or IP Address</strong></td><td>The Directory DNS Name i.e. <code>ad.pam.test</code></td></tr><tr><td><strong>Port</strong></td><td><code>636</code> for LDAPS</td></tr><tr><td><strong>Use SSL (checkbox)</strong></td><td>Must be checked</td></tr><tr><td><strong>Administrative Credentials</strong></td><td>PAM User providing the directory service admin account and password i.e. <code>Admin</code><br><br><strong>Note</strong>: Either Login and Domain Name <strong>or</strong> Distinguished Name is required. Distinguished Name is preferred.</td></tr><tr><td><strong>Distinguished Name</strong></td><td>Directory Service Admin Account's Distinguished Name (DN).<br><br><strong>Note:</strong> If DN is not provided, the following format will be used:<br>Given domain name is <code>example.com</code>:<br><code>CN=&#x3C;user>,CN=Users,DC=example,DC=com</code></td></tr><tr><td><strong>Domain Name</strong></td><td>The Directory DNS Name<br><br>Note: This is required if using Login instead of Distinguished Name</td></tr><tr><td><strong>Directory ID</strong></td><td>Directory Service's Identifier i.e <code>d-##########</code></td></tr><tr><td><strong>Directory Type</strong></td><td>Directory Service Directory type, defaults to <code>Active Directory</code> if left blank.</td></tr><tr><td><strong>Provider Region</strong></td><td>AWS region name i.e. <code>us-east-1</code></td></tr></tbody></table>

Note: Adding Provider Region and Directory ID will enable managing the **PAM Directory** Record through the AWS SDK, which is preferred.

This PAM Directory Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.

## 2. Set up PAM Configuration <a href="#managed-directory-services" id="managed-directory-services"></a>

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

If you are creating a new **PAM Configuration**, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".\
\
The following table lists all the required fields on the **PAM Configuration** Record:

<table><thead><tr><th width="197">Field</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>Title</strong></td><td>Configuration name, example: <code>AWS AD Configuration</code></td><td></td></tr><tr><td><strong>Environment</strong></td><td>Select: <code>AWS</code></td><td></td></tr><tr><td><strong>Gateway</strong></td><td>Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the pre-requisites</td><td></td></tr><tr><td><strong>Application Folder</strong></td><td>Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the admin accounts, not the machines.</td><td></td></tr><tr><td><strong>AWS ID</strong></td><td>A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short<br>Ex: <code>AWS-1</code></td><td></td></tr><tr><td><strong>Access Key ID</strong></td><td>Set this field to <code>USE_INSTANCE_ROLE</code> if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.</td><td></td></tr><tr><td><strong>Access Secret Key</strong></td><td>Set this field to <code>USE_INSTANCE_ROLE</code> if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.</td><td></td></tr><tr><td><strong>Region Names</strong></td><td>List of AWS region names, one per line<br>Example:<br><code>us-east-1</code><br><code>us-east-2</code></td><td></td></tr></tbody></table>

For more details on all the configurable fields in the PAM Configuration record, visit this [page](/keeperpam/privileged-access-manager/getting-started/pam-configuration.md).

## 3. Set up one or more PAM User Records

Keeper Rotation will use the credentials in the **PAM Directory** record to rotate the **PAM User** records on your AWS environment. The **PAM User** credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the **PAM User** record:

<table><thead><tr><th width="206.5">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Title</strong></td><td>Keeper record title i.e. <code>AWS Directory User1</code></td></tr><tr><td><strong>Login</strong></td><td>Username of the Directory Service's user account</td></tr><tr><td><strong>Password</strong></td><td>Account password is optional, rotation will set one if blank</td></tr><tr><td><strong>Distinguished</strong> <strong>Name</strong></td><td>Directory Service User Account's Distinguished Name (DN)</td></tr></tbody></table>

## 4. Configure Rotation on the PAM User records

Select the **PAM User** record(s) from Step 3, edit the record and open the "Password Rotation Settings".

* Select the desired schedule and password complexity.
* The "Rotation Settings" should use the **PAM Configuration** setup previously.
* The "Resource Credential" field should select the **PAM Directory** credential setup from Step 1.
* Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with `edit` rights to a **PAM User** record has the ability to setup rotation for that record.

## Troubleshooting

#### Getting the Distinguished Names of AWS Managed Directory Service Users

The following windows command can be used to get the distinguished name of the Directory user:

```powershell
Get-ADUser -Identity "username" | Select-Object -ExpandProperty DistinguishedName
```

If the command does not exist, you need to import the appropriate module with:

```powershell
Import-Module ActiveDirectory
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/aws/directory-user.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.