UseCase2_ADIntegration - sandersdHES/PAMEmergingTech GitHub Wiki

6.2 Importing Active Directory to PAM360

How Does PAM Integrate with Active Directory (AD)?

Active Directory (AD) is a centralised directory service that manages user identities and their access rights to network resources. However, it does not natively provide advanced management of privileged accounts—such as admin accounts, critical service accounts, or root accounts on Linux servers.

This is where Privileged Access Management (PAM) comes in. PAM adds layers of control, monitoring, and protection specifically for privileged accounts on top of AD.

  • PAM secures privileged accounts by replacing static passwords with temporary, controlled access.
  • It segregates standard and administrative accounts using a secure credential vault.
  • It enables Just-in-Time (JIT) access for specific tasks only when needed.
  • It logs and records all admin activities for full auditing and accountability.

Why Use PAM with Active Directory?

Active Directory is a prime target for attackers, as it controls access across the entire organisation. If a privileged AD account is compromised, an attacker could gain full control over your network.

Threats Mitigated by PAM:

  • Pass-the-Hash Attacks: Exploiting NTLM hashes of AD credentials.
  • Golden Ticket Attacks: Using forged Kerberos tickets (TGTs) to impersonate users.
  • Credential Dumping: Extracting passwords from memory (e.g., via Mimikatz).
  • Shadow Admins: Hidden high-privilege accounts not easily visible in AD.

PAM reduces these risks by eliminating permanent privileged access and applying strict controls.

Objective

This use case demonstrates how to integrate Active Directory (AD) with PAM360 in order to centralize the management of domain users, groups, and organizational units (OUs). This enables secure onboarding of AD accounts into PAM360 for privileged access control, session recording, and password governance.

Context

While AD manages user authentication and access across an enterprise, it lacks granular privilege management and auditing capabilities. Integrating it with PAM360 allows organizations to:

  • Import AD users and assign PAM roles

  • Monitor and control access to AD-linked resources

  • Apply Just-In-Time (JIT) access and credential rotation

  • Protect against credential theft and lateral movement

In this proof of concept (PoC), we built a local AD environment (domain: pampoc.ch), added test users, and connected a Windows 10 VM to the domain to simulate real enterprise conditions.

Prerequisites

  • A Windows Server VM

  • A Windows 10 client VM joined to the domain

  • PAM360 installed and accessible via web interface

Step 1: Create the Active Directory

Go to your Windows Server and create a new Active Directory. You can follow the official Microsoft documentation for this.

Official documentation

Be sure to create a new domain and a new forest. You can name it as you want, but for the sake of this PoC we will use pampoc.ch.

image.png

Also promote your server to a domain controller.

image.png

Step 2: Create Users in Active Directory

You can create users in Active Directory using the GUI or PowerShell. For this PoC, we will use PowerShell to create a few test users.

# Import du module Active Directory
Import-Module ActiveDirectory

# Chemin cible dans l'AD (Users est un conteneur, donc "CN=" et non "OU=")
$ou = "CN=Users,DC=pampoc,DC=ch"

# Nom du groupe de domaine par défaut
$defaultGroup = "Domain Users"

# Liste des utilisateurs à créer
$users = @(
    @{Prenom="Alice"; Nom="Durand";  SamAccountName="adurand";  Password="P@ssw0rd123!"},
    @{Prenom="Bob";   Nom="Martin";  SamAccountName="bmartin";  Password="P@ssw0rd123!"},
    @{Prenom="Clara"; Nom="Lopez";   SamAccountName="clopez";   Password="P@ssw0rd123!"},
    @{Prenom="David"; Nom="Nguyen";  SamAccountName="dnguyen";  Password="P@ssw0rd123!"},
    @{Prenom="Emma";  Nom="Schmidt"; SamAccountName="eschmidt"; Password="P@ssw0rd123!"}
)

# Création des comptes
foreach ($user in $users) {
    $nomComplet = "$($user.Prenom) $($user.Nom)"
    $securePass = ConvertTo-SecureString $user.Password -AsPlainText -Force

    # Création de l'utilisateur
    New-ADUser `
        -Name $nomComplet `
        -GivenName $user.Prenom `
        -Surname $user.Nom `
        -SamAccountName $user.SamAccountName `
        -UserPrincipalName "$($user.SamAccountName)@pampoc.ch" `
        -AccountPassword $securePass `
        -Path $ou `
        -Enabled $true `
        -ChangePasswordAtLogon $true

    # Ajout explicite au groupe "Domain Users"
    Add-ADGroupMember -Identity $defaultGroup -Members $user.SamAccountName

    Write-Host "✅ Utilisateur créé et ajouté à '$defaultGroup' : $nomComplet"
}

Step 3: Link the Windows 10 VM to the Domain

You will need to adapt the hosts file of your Windows 10 VM to be able to resolve the domain name. You can do this by adding the following line to the hosts file:

127.0.0.1 ADPAM.pampoc.ch ADPAM

image.png

  • Go to your Windows 10 VM and join it to the domain you just created.
  • Right-click on This PC and select Properties.
  • Click on Change settings under Computer name, domain, and workgroup settings.
  • Click on Change and select Domain.
  • Enter the domain name (e.g., pampoc.ch) and click OK.

image.png

  • Enter the credentials of a domain admin account when prompted.
  • Change the DNS settings of the Windows 10 VM to point to the IP address of the Active Directory server.

image.png

  • Restart the VM to apply the changes.

Step 4: Import Active Directory into PAM360

  1. Go to AdminActive DirectoryActive Directory Configuration

  2. Click on Import from Active Directory and fill in the required fields:

    • Create a new Domain and call it PAMPOC
    • Primary Domain Controller: ADPAM
    • Enter the credentials of a domain admin account
    • Domain Name: pampoc.ch
    • Click on Fetch Groups & OUs to import the groups and OUs from the Active Directory.

image.png

  1. Select the groups and OUs you want to import into PAM360. You can also select the users you want to import.

image.png

You will see that all the users from the AD have been imported into Users in PAM360.

image.png

  1. Repeat the process in Resources => Discover Accounts.

After this you will be able to connect to your Windows 10 VM using the credentials of the users you just created in the Active Directory.

Go to Connections and select the Windows 10 VM. You will see local and domain accounts.

image.png

image.png

Conclusion

Integrating Active Directory (AD) with PAM360 brings centralized identity management and privileged access security into a single cohesive platform. Through this integration, you gain complete visibility and control over privileged AD accounts, while leveraging existing domain structures.

By importing users, groups, and OUs from AD, PAM360 enables:

  • Seamless onboarding of existing domain users into PAM workflows

  • Enforced access control for critical domain resources

  • Secure remote access to Windows endpoints via domain credentials

  • Support for password rotation, JIT access, and full audit logging

This integration not only enhances security posture but also simplifies identity governance—bridging the gap between traditional directory services and modern privilege management requirements.

🛡️ Privileged Access Management (PAM360) & Admin Bastion Project
🔍 Built with a focus on Zero Trust, credential security, and hands-on Azure lab architecture.
🧠 Created as part of the 2025 Emerging Technologies module at HES-SO.

👨‍💻 Dylan Sanderson    👨‍💻 Johann Von Roten    👨‍💻 Maxime Bossi    👩‍💻 Nadja Lötscher
📚 Explore the Wiki • 📧 Contact us via GitHub if you have questions!

⚠️ **GitHub.com Fallback** ⚠️