Password Management for AD/Entra Domains
This guide describes setting up PrivX to automatically rotate domain-user-account passwords. This setup also provides password-free access to domain-user accounts via PrivX.
High-level steps for setup require you to:
- Create password policies, which determines how domain-user passwords are automatically rotated
- Deploy the target domain to PrivX.
- Enable PrivX password management for domain-user accounts by switching them to the Managed state.
After the previous steps, you may also enable the following features:
- Configuring Managed accounts as connection targets.
- If users must be able to copy/paste their passwords, also enable password checkout.
Prerequisites for setup include:
- PrivX must be configured with at least one password policy, which determines how domain-user passwords are automatically rotated. You can create password policies under Administration→Deployment→Deploy Password Rotation.
- Ensure and execute the following regarding the domain where domain-user accounts are located:
You will need credentials to at least one AD or Entra endpoint in the domain. This is to allow PrivX to read/write domain information.
For AD endpoints, you will need bind information for an account with read/write permissions. Also obtain the LDAP User Filter to match the AD subtree of the domain's target users. For Entra endpoints, obtain the Tenant ID, Application ID, and Authentication Key.
AD accounts used for accessing PrivX should be excluded from the target domain/subtree. This is to ensure that PrivX users' passwords aren't accidentally rotated, which locks them out of PrivX. We recommend separating PrivX users' AD accounts into a different domain or subtree.
Password Policies for Domain-User Password Management
To create a password policy for domain-user password management:
- Go to Administration→Deployment→Deploy Password Rotation, then click Add Password Rotation Policy.
- Define quality restraints for automatically-generated passwords. Also define how many users may checkout the password at once, and for how long.
You may also consider enabling the following:
- Rotate on Release: This causes users' passwords to be automatically regenerated whenever all checkouts of their password is released.
- Verify After Rotation: PrivX will verify users' passwords after rotation and raise errors or warnings if the new password doesn't work.
- Save your password policy. You may verify it back on the Administration→Deployment→Deploy Password Rotation page. The password policy will be required later for configuring managed accounts.
Deploying Domain to PrivX
Deploy your AD/Entra domain to PrivX, so that PrivX can detect domain users:
On Administration→Deployment→Target Domains, click Add Target Domain.
Provide the basic information.
Under Target Domain Endpoints you must configure at least one AD or Entra endpoint from which target-domain information can be scanned.
(Optional) For high-availability, you may set up additional Target Domain Endpoints. In such cases, also note Scan Priority and Rotation Priority of your endpoints.
PrivX will scan domain data in order of Scan Priority. When scanning from one endpoint succeeds, PrivX will not try subsequent endpoints. Scan Priority must be unique among endpoints.
Rotation Priority can be set to Primary, Secondary, or Disabled. Primary endpoints are preferred for password rotation. You must have at least one Primary endpoint.
Some domain-user attributes may change when using both AD and Entra endpoints at the same time. This is because AD and Entra store different values for the same field. For this reason we recommend only defining AD endpoints, or only defining Entra endpoints for the domain.
- Click Save to apply your changes. You may verify the target-domain deployment back on the Administration→Deployment→Target Domains page. The Scan Status should be Completed to indicate that the domain was deployed successfully to PrivX.
Managing Domain-User Passwords
A domain-user account must be set to the Managed state before their passwords can be managed by PrivX. To do this:
Find the domain user from PrivX. To do this, go to Administration→Deployment→Target Domains, click ☰ next to the domain, then select List Accounts. This lists the accounts belonging to the domain.
In the Accounts list, click ☰ next to the target user and select Create Managed Account.
To immediately enable automatic password rotation, enable Rotation Enabled and Trigger Initial Rotation. Also select the Password Policy that will be used for rotating the account password in the future.
For accounts that are already Managed, you can immediately change their password as follows:
Find the Managed account from PrivX. To do this, go to Administration→Deployment→Target Domains, click ☰ next to the domain, then select List Managed Accounts. This lists the Managed accounts belonging to the domain.
In the Accounts list, click ☰ next to the target account, then select Rotate Password. This created a new password according to the account's password policy.
Domain-User Access Setup
To allow PrivX users to connect to domain accounts without password:
Similarly to setting up regular accounts as connection targets, go to Administration→Hosts, Edit the target host, and Add Account.
Provide the following information for the account:
- Account Type: Use Explicit to provide access to one of the domain users. Also provide the target account's Username and Target Domain. You can verify their Username from Administration→Target Domains with the List Managed Accounts action. Use Directory to provide access to all managed accounts by mapping a PrivX user to one managed account.
- Specify Roles that may access the target.
Permitted PrivX users may now connect to the target host/account via Connections→Hosts.
Some domain-user attributes may change when using both AD and Entra endpoints at the same time. This is because AD and Entra store different values for the same field. For this reason we recommend only defining AD endpoints, or only defining Entra endpoints for the domain.
Checkout Rotated Passwords
If users need to copy/paste their domain-user-account passwords, you can allow this as follows:
Find the Managed account from PrivX. To do this, go to Administration→Deployment→Target Domains, click ☰ next to the domain, then select List Managed Accounts. This lists the Managed accounts belonging to the domain.
Edit the target account. Enable Explicit Checkout for the account, then Save your changes.
PrivX users with access to this managed account can now copy the password from the Secrets tab of the connection view, by clicking Checkout Secret. Alternatively, they may copy it from Secrets→Host Account Secrets.
Domain-user passwords cannot be checked out when Max Concurrent Checkouts is reached. Max Concurrent Checkouts is defined in the user's password-rotation policy.
When all checkouts of a password are released (either manually or via timeout), PrivX automatically rotates the account password.
On checkout you get access to all stored versions of the password. In highly-concurrent scenarios the user may need to use an older version of the password. The number of stored password versions is determined by the Max Versions setting in their password policy.
Fixing Desynchronized Passwords Between Domain and PrivX
In situations where a domain user's password becomes desynchronized between PrivX and the AD/Entra domain, for example due to a domain-side password reset, you may manually provide the new password to PrivX:
If the user's password is not known, request your domain administrator to provide a new password on the domain side.
Provide the account's password in PrivX. To do this, go to Administration→Deployment→Target Domains, click ☰ next to the domain, then select List Managed Accounts.
Find the right account, click ☰ next to the account and select Provide Password. Provide the same password from the previous step.
Click Save to save your changes. This should synchronize the password between PrivX and the target domain.
Was this page helpful?