Service Account Setup — Active Directory¶
Section: Security | Article 20
Audience: Active Directory Administrators
Last Updated: 2026-04-06
Why Three Service Accounts?¶
RP-PAM uses a strict three-account model to limit the damage if any single account is compromised. No single service account has access to all functions.
| Account | Purpose | Risk if Compromised |
|---|---|---|
| DRA (Directory Reader Account) | Read-only queries | Attacker can see users and groups, but cannot change anything |
| PA (Provisioning Account) | Write operations (add/remove group members) | Attacker can modify group memberships in targeted OUs only |
| ARA (Audit & Reporting Account) | Read audit logs, write to audit database | Attacker can see audit data but cannot access credentials |
Key security principle: Even if ALL THREE accounts are compromised simultaneously, the attacker cannot read credentials from the vault. Vault credentials are encrypted with separate keys that are not accessible to any service account.
Step-by-Step: Create the Service Accounts¶
Prerequisites¶
- Domain Admin or equivalent access to Active Directory
- Access to Active Directory Users and Computers (ADUC) or PowerShell
- The OU structure where you want to place RP-PAM service accounts
Step 1: Create an OU for RP-PAM Service Accounts¶
Create a dedicated Organisational Unit to contain all RP-PAM service accounts. This makes it easy to apply restrictive policies.
Using ADUC (GUI):
1. Open Active Directory Users and Computers
2. Right-click your domain → New → Organisational Unit
3. Name: RP-PAM Service Accounts
4. Click OK
Using PowerShell:
New-ADOrganizationalUnit -Name "RP-PAM Service Accounts" `
-Path "DC=corp,DC=local" `
-ProtectedFromAccidentalDeletion $true
Step 2: Create the Directory Reader Account (DRA)¶
The DRA is a read-only account. It can query users, groups, and OUs but cannot make any changes.
Using PowerShell:
# Generate a strong random password (64 characters)
$draPassword = -join ((48..57) + (65..90) + (97..122) + (33,35,36,37,38,42) |
Get-Random -Count 64 | ForEach-Object { [char]$_ })
# Create the account
New-ADUser -Name "svc-rppam-dra" `
-SamAccountName "svc-rppam-dra" `
-UserPrincipalName "svc-rppam-dra@corp.local" `
-Path "OU=RP-PAM Service Accounts,DC=corp,DC=local" `
-AccountPassword (ConvertTo-SecureString $draPassword -AsPlainText -Force) `
-PasswordNeverExpires $true `
-CannotChangePassword $true `
-Enabled $true `
-Description "RP-PAM Directory Reader Account - READ ONLY"
# Mark as sensitive (cannot be delegated)
Set-ADUser "svc-rppam-dra" -AccountNotDelegated $true
# Display the password (save this — you'll enter it in RP-PAM)
Write-Host "DRA Password: $draPassword"
Write-Host "SAVE THIS PASSWORD SECURELY. You will need it during RP-PAM setup."
Permissions for the DRA:
- Member of Domain Users only (no additional groups)
- Read access to all OUs containing users that RP-PAM will manage
- No write access anywhere
The DRA's default permissions as a Domain User are sufficient for read operations. No additional delegation is needed.
Step 3: Create the Provisioning Account (PA)¶
The PA is the write account. It can add and remove users from groups, but only in the OUs you specifically delegate.
Using PowerShell:
# Generate a strong random password
$paPassword = -join ((48..57) + (65..90) + (97..122) + (33,35,36,37,38,42) |
Get-Random -Count 64 | ForEach-Object { [char]$_ })
# Create the account
New-ADUser -Name "svc-rppam-pa" `
-SamAccountName "svc-rppam-pa" `
-UserPrincipalName "svc-rppam-pa@corp.local" `
-Path "OU=RP-PAM Service Accounts,DC=corp,DC=local" `
-AccountPassword (ConvertTo-SecureString $paPassword -AsPlainText -Force) `
-PasswordNeverExpires $true `
-CannotChangePassword $true `
-Enabled $true `
-Description "RP-PAM Provisioning Account - SCOPED WRITE"
# Mark as sensitive
Set-ADUser "svc-rppam-pa" -AccountNotDelegated $true
Write-Host "PA Password: $paPassword"
Write-Host "SAVE THIS PASSWORD SECURELY."
Delegate Write Permissions to the PA:
The PA needs write access ONLY to the specific OUs where RP-PAM will manage group memberships. Do NOT give it domain-wide write access.
Using ADUC (GUI):
1. Right-click the target OU (e.g., OU=Privileged Groups,DC=corp,DC=local)
2. Properties → Security → Advanced → Add
3. Principal: svc-rppam-pa
4. Type: Allow
5. Applies to: Descendant Group Objects
6. Permissions: check Write members
7. Click OK → Apply
Using PowerShell:
# Grant "Write members" on the target OU for group objects
$ou = "OU=Privileged Groups,DC=corp,DC=local"
$pa = Get-ADUser "svc-rppam-pa"
$acl = Get-Acl "AD:\$ou"
$guid_member = [GUID]"bf9679c0-0de6-11d0-a285-00aa003049e2" # member attribute
$guid_group = [GUID]"bf967a9c-0de6-11d0-a285-00aa003049e2" # group object class
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$pa.SID,
"WriteProperty",
"Allow",
$guid_member,
"Descendant",
$guid_group
)
$acl.AddAccessRule($ace)
Set-Acl "AD:\$ou" $acl
What the PA MUST NOT have access to: - Domain Admins group - Schema Admins group - Enterprise Admins group - Any RP-PAM service account - Any OU outside the delegated scope
Step 4: Create the Audit & Reporting Account (ARA)¶
The ARA is a read audit + write audit log account. It can read event logs and write to the RP-PAM audit database, but cannot read vault credentials.
Using PowerShell:
$araPassword = -join ((48..57) + (65..90) + (97..122) + (33,35,36,37,38,42) |
Get-Random -Count 64 | ForEach-Object { [char]$_ })
New-ADUser -Name "svc-rppam-ara" `
-SamAccountName "svc-rppam-ara" `
-UserPrincipalName "svc-rppam-ara@corp.local" `
-Path "OU=RP-PAM Service Accounts,DC=corp,DC=local" `
-AccountPassword (ConvertTo-SecureString $araPassword -AsPlainText -Force) `
-PasswordNeverExpires $true `
-CannotChangePassword $true `
-Enabled $true `
-Description "RP-PAM Audit & Reporting Account - AUDIT READ/WRITE ONLY"
Set-ADUser "svc-rppam-ara" -AccountNotDelegated $true
Write-Host "ARA Password: $araPassword"
Write-Host "SAVE THIS PASSWORD SECURELY."
Permissions for the ARA:
- Member of Event Log Readers group (to read Windows event logs)
- Read-only access to AD (same as DRA — default Domain Users permissions)
- No write access to AD whatsoever
Step 5: Apply Group Policy Restrictions¶
Apply these restrictions to the RP-PAM Service Accounts OU to prevent interactive login:
Block Interactive Login¶
- Open Group Policy Management
- Create a new GPO:
RP-PAM Service Account Restrictions - Link it to the
RP-PAM Service AccountsOU - Edit the GPO:
- Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment
- Deny log on locally: Add
svc-rppam-dra,svc-rppam-pa,svc-rppam-ara - Deny log on through Remote Desktop: Add all three accounts
- Deny access to this computer from the network: Do NOT add — RP-PAM needs network access
Using PowerShell (on a domain controller):
# This is typically done via GPO, but for reference:
# These accounts should NEVER be used for interactive login
# The GPO enforces this at the OS level
Verify Restrictions¶
Test that the service accounts cannot log in interactively:
# Try to start a process as the DRA — this should fail
$cred = New-Object PSCredential("corp\svc-rppam-dra", (ConvertTo-SecureString "password" -AsPlainText -Force))
Start-Process cmd.exe -Credential $cred
# Expected: Access denied (if GPO is applied correctly)
Step 6: Store Credentials in RP-PAM¶
After creating the accounts, store their credentials in RP-PAM's vault:
During first-run setup: The Setup Wizard (see First-Run Setup Wizard) prompts you for all three service account credentials.
After initial setup: Use the RP-PAM CLI to store or rotate service account credentials:
Windows PowerShell:
& "C:\Program Files\Ravenphyre\RP-PAM\tools\rppam-migrate.exe" setup-accounts `
--dra-dn "CN=svc-rppam-dra,OU=RP-PAM Service Accounts,DC=corp,DC=local" `
--dra-password "<dra-password>" `
--pa-dn "CN=svc-rppam-pa,OU=RP-PAM Service Accounts,DC=corp,DC=local" `
--pa-password "<pa-password>" `
--ara-dn "CN=svc-rppam-ara,OU=RP-PAM Service Accounts,DC=corp,DC=local" `
--ara-password "<ara-password>"
Linux:
sudo /opt/rppam/tools/rppam-migrate setup-accounts \
--dra-dn "CN=svc-rppam-dra,OU=RP-PAM Service Accounts,DC=corp,DC=local" \
--dra-password "<dra-password>" \
--pa-dn "CN=svc-rppam-pa,OU=RP-PAM Service Accounts,DC=corp,DC=local" \
--pa-password "<pa-password>" \
--ara-dn "CN=svc-rppam-ara,OU=RP-PAM Service Accounts,DC=corp,DC=local" \
--ara-password "<ara-password>"
Security note: Once stored in the vault, the passwords are encrypted with AES-256-GCM. You do not need to record them anywhere else. RP-PAM will automatically rotate them on the schedule you configure.
Step 7: Configure Automatic Password Rotation¶
By default, RP-PAM rotates service account passwords every 30 days. You can change this in the module configuration:
When a password is rotated: 1. RP-PAM generates a new random 64-character password 2. Changes the password in Active Directory 3. Updates the encrypted credential in the vault 4. Logs the rotation in the audit trail
Security Checklist¶
Before going live, verify all of the following:
- [ ] All three service accounts created in the
RP-PAM Service AccountsOU - [ ] DRA has read-only access only (no group memberships beyond Domain Users)
- [ ] PA has write access only to the specific OUs you intend to manage
- [ ] PA does NOT have access to Domain Admins, Schema Admins, or Enterprise Admins
- [ ] ARA is a member of Event Log Readers
- [ ] All three accounts have "Account is sensitive and cannot be delegated" set
- [ ] GPO blocks interactive login (local and RDP) for all three accounts
- [ ] All three passwords stored in RP-PAM vault
- [ ] Password rotation schedule configured
- [ ] Test: DRA can query users and groups
- [ ] Test: PA can add/remove a user from a test group in the delegated OU
- [ ] Test: PA CANNOT modify Domain Admins membership
- [ ] Test: None of the three accounts can log in via RDP or console
Troubleshooting¶
| Problem | Cause | Solution |
|---|---|---|
| DRA cannot query users | Insufficient default permissions | Ensure DRA is a Domain User; check if any deny ACE blocks reads |
| PA cannot add group members | Delegation not set on the correct OU | Re-run delegation wizard on the OU containing target groups |
| PA can modify Domain Admins | Over-permissioned; delegation is too broad | Remove PA's write access from the domain root; delegate only to specific OUs |
| "Account is disabled" error | Account locked or disabled | Re-enable in ADUC; check lockout policy |
| Password rotation fails | PA doesn't have "Reset password" on its own OU | Grant PA "Reset password" on the service accounts OU |
Next Steps¶
- Service Account Setup — Entra ID — If you also use Azure AD
- Break-Glass Emergency Access — Configure emergency access procedures
- First-Run Setup Wizard — Enter your service account credentials
RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.