Feature Request

Can't use privileged account as a credential in an Active Directory dashboard entry I checked the official Devolutions video and was convinced that this option should be available (4:06). However, when I tried to configure it in my vault, I could not find this option for an Active Directory dashboard entry - neither in RDM nor in DVLS. For comparison, an RDP entry contains the required option, and it works fine there. The only available option is " My privileged account ", but this is not what is required. [image] I also tried using the " Inherited " option and set a Privileged Account on the root folder, but this resulted in the following error: " The data source does not support the use of privileged accounts for this entry type. " [image] RDM version : 2025.3.16.0 DVLS version : 2025.3.12.0

We use JIT (Just-In-Time) access for temporary Domain Admin , Schema Admin , and Enterprise Admin rights. This works well, as these elevated rights are only needed occasionally. It's not an issue for users to manually check the checkbox when these rights are required. In the future, we plan to add our ServerOperators group to JIT as well, since this group is necessary for the daily work of our system administrators. Question: Is it possible to automatically assign a group (right) when a user checks out an account via PAM? Use case: User-X does not have any special group memberships by default, only Domain Users . User-X checks out an account via PAM. JIT automatically assigns a group (e.g., ServerOperators ) without requiring the user to manually select it during checkout—ideally, the group is pre-selected by default. Rationale: The idea is that the account should function as a normal user by default. For example, the user works only 2 days abd need elevated permissions (e.g., ServerOperators) two days per week. During the remaining days, if the account were to be compromised, it would only have standard user rights (Domain Users), thus reducing the attack surface. [image]

In the PAM Windows Service Account properties, there is a field for EndpointUserName and EndpointPassword. These are static fields. We would like to have the option to use a linked account to a PAM user similar to what is done for PAM Providers.

Hello, This feature request is linked to the integration of Devolutions RDM Windows and Devolutions PAM. In RDM current version 2025.3.22.0, the ability to use a privileged account stored a PAM vault is limited to RDP and SSH connections, but other entry types which could benefit from PAM do not support it. So can you please add the ability to select privileged account credentials for SQL Server, SFTP, Active Directory, Active Directory Dashboard and any other entry types which support a type of account which can be stored in a PAM vault. Thank you.

Hello, We are currently in the pilot integration phase of RDM with our customers. The feedback so far has been very positive. The only drawback is that selecting the JiT group is quite complicated. At the moment, it is necessary to check which role the server or session belongs to and then manually search for the corresponding group in the JiT selection window. This process is time-consuming and inconvenient. A potential improvement could be the use of a custom attribute : the AD group to which the server belongs could be stored in a custom field. When opening a session, the user would automatically be assigned to the stored AD group in the background. [image] Could you please let us know if such a feature is planned or already under development? Kind regards, Christian

Context: Currently, the Devolutions Server PAM SSH Keys module expects to interact with local accounts on servers in order to insert or rotate SSH keys by updating the local authorized_keys file. In our environment, SSH authentication is managed through LDAP/SSSD, where public SSH keys are dynamically provided from an LDAP attribute. This means that no local authorized_keys file exists on the servers, as SSH keys are fetched directly from the LDAP directory during the login process. Issue: The PAM SSH Keys module cannot inject or rotate SSH keys because it relies on the presence of local accounts and local key files. Additionally, the Scan Configuration function does not detect any accounts, since the module looks only for local accounts to manage. Feature Request / Proposal: We would like the PAM SSH Keys module to support environments using LDAP/SSSD for SSH authentication by enabling it to: detect and recognize systems using LDAP/SSSD for SSH key management, interact directly with the LDAP directory to manage SSH public keys stored in LDAP attributes, allow rotation, addition, and removal of SSH keys in such centralized setups. This enhancement would extend the PAM SSH Keys module’s capabilities to cover modern enterprise environments where SSH key management is centralized via LDAP. Thank you for considering this request

Hello, I'm opening this on behalf of user bdemsky in an attempt to reduce back and forth. If a PAM Account is locked on ADDC due to too many failed logon attempts, it would be nice if "Unlock Account" was flagged when a check-in or password rotation occurs in the PAM module. It would also be nice to improve the log in DVLS regarding this event so it's clear that this is what occurred as currently the log is generic. I've attached screenshots of the current behaviour when an account is locked. [image] [image] Error in text: 1004 InitializeSecurityContext failed (The logon attempt failed, Win32ErrorCode -2146893044 - 0x8009030C) bdemsky, I invite you to continue this discussion if required. Best regards, Marc-Antoine Dubois

Hi, currently heartbeat of passwords is done using credentials from PAM Account but change using credential linked with provider. In case when account is disabled for networked login (ex. root account on Linux when SSHD has PermitRootLogin set to no) it is no possible. There could be a checkbox on account entry level and/or provider level that will switch to "sudo mode". In such mode Heartbeat would be processed in two fazes. First login to system with provider account, and than check password from PAM Account. Regards Mateusz

Currently with Linux servers, it appears you have to specify them individually for local account discovery. We domain-join all of our Linux servers and I would love to be able to do local account discovery for domain-joined Linux servers based on OU like you can do domain-joined Windows devices today. I would also like for this to include both local account credential discovery/rotation as well as managing SSH keys for that local account. I would also like to be able to specify the name of that local account. The credentials being used for discovery could be the same ones specified for the Active Directory provider.

Hello, With DVLS it is possible to add OTP to a PAM entry, but that option isn't shown when using Hub. Could this capability be added please? As far as I can tell, OTP's can only be added in the regular vaults, thus requiring 2 separate entries in 2 different vaults for the same identity. Thanks Joe

At the moment there is only one option to set if a checkout reason is mandatory or optional. Because we user our priviledged account the whole day setting this reason to mandatory has no use but when asking for extra privileges with JIT we want to set a reason. Is it possible add an additional option to make the checkout reason mandatory when doing a checkout with JIT rights so there are 4 options to set?

Hello, we would like to have the possibility for the report "Privileged access - Recent activities" to display in the csv file generated the Ticket number linked to the PAM request. we can already see it via "Administration => Privileged access => Checkouts" but it's not in the report that is weekly send. We store the file for auditing. Thanks for your answer :) Have a good day

Hello, We want to see a message when the user clicks on the session. For example: Please wait until the JiT permissions are set. At the moment, the user clicks several times in the same session because nothing happens for about 10 seconds. [image] Best regards, Christian

Requesting/Sharing my idea for Check out policies to include check out options for accounts with JiT elevation. Instead of having a PAM account notify approvers for both a standard account, and the JiT, have the option to auto-approve if standard, or notify approvers if JiT is selected for the account. Another idea is to allow choosing between different PAM accounts for connecting to RDP connections within RDM, instead of just one PAM account. Thank you!

In the web-interface I can see the PAM-logs (ReportsPrivileged access - Logs). The problem is that there are couple of colloms to filter, for examle Name, PAM Vaults, users and actions. When I wan't to see JIT action the only way is to open an entry. Then I a message and the reason. In the message there is a Elevated as: entry. Message: Check out requested by user:xxx@yy.com. Duration: 8h00. Reason: test logging. Elevated as: Domain Admins. Reason: test logging Is it possible to: add a filter on "Elevated as". That way it's easy to analyse the JIT elvation. Add "Elevated as" in a separate collum in the scheduled report "privileged access-recent activitties" so I can easy analyse the information in Excel.

Ive had PAM running a few months back and started making use of it, till one day everything ground to a halt, after going through documentation (which is always being updated, although sometimes it lags behind the software I've found) as well as using the forums for help, but I still don't have a working PAM...... So now I've planned to take a fresh start approach to PAM and its setup, the AnyIdentity Provider for EntraID, the EntraID Applications, the App credentials for DPH bus and then the PAM Service module on windows. It made me think boy this would be so much simpler if there were a PS1 that would at be able to assist in the infra setup, it could prompt for variables where needed then it would setup the EntraID provider file, the EntraID app registrations and permissions etc, create the DPH app creds again prompting for scenario path choices, then saving the app creds ready to use with the PAM service module that the user can install. I realise this takes work from the Devo Teams whom are probably already working flat out on other tasks, but they have done this sort of thing in the past so for any season PowerShell gurus with knowledge of Devolutions apps it shouldn't take too long right?? So yeah that would be my wish a PS1 that is able to help us setup the every growing in complexity PAM app using prompts for different scenario path choices......

We have implemented JIT to grant domain admin rights to a select group of our administrators for their privileged account . This right is needed to make a RDP session to a domain controller. At the moment you complete the JIT process to get domain admin rights the privileged account in Devolutions don't have the group claim and you need to restart RDM to get this claim. In my opinion this is not how this should work.

Hi guys, Would like to make the recommendation to the development team for users to be able to toggle PAM notifications by Vault as a subcategory, like in other Custom alerts modules. The heartbeat should be able to be set per-vault or set an exclusion for the Infrastructure Vault. Example, leave it on for PAM items in a user created vault, but toggle it OFF for Infrastructure Vault. If you want PAM alerts but do not want to utilize the Infrastructure Vault's capability to cycle the SQL Login account, you will receive an email every hour for the heartbeat failure. For now, we will entirely disable alerting on the PAM module as it cannot be used as needed with many false positives. Thank you!

When PAM is unable to rotate a password it's retrying this every minute after the failed attempt. Because of this we get alot of alerts (tonight I got 180 emails about this on one account). I don't think this is how it should work. Is it possible to extend the retry or configure a threshold about the amount of mail Devolutions should send?

We would like to give a group enough access to PAM to allow them to create Providers, Scan Configurations, Propagations, and allow them to add users to specific vaults, but not allow them full PAM admin rights. Use case: We have a network team that we want to have manage PAM for their devices, appliances, and tools. The server team (which also manages DVLS and PAM) does not have access to network team resources and does not want to give network team access to server PAM resources. Network team should be able to manage all their own PAM needs. Otherwise, it seems we need to stand up and entirely new DLVS instance just for them.

We have Windows DMZ servers which are not domain joined. With the PAM module you can manage local accounts with WinRM but this is now not possible to do this with ssl. When ssl is supported it is difficult to manage. Our previous PAM solution use a agent on the DMZ server. The PAM solution communicate on a secure (SSL) way with the DMZ server to rotate passwords for local accounts and change group membership on the DMZ server. This was a very lightweight solution and very stable. Is this a possible idea to manage local accounts on DMZ servers in stead of WinRM?

Hello, In order to improve the security of our break glass accounts, I would like a way to activate a rotation on some account and backup the password on 1password. This would be very interesting in case of a any failure of Devolutions PAM. Would it be possible ? Or is there a way to do this already ? Thank you !

Hi, We would like to use the local user vault within Vmware Vcenter. At the moment there is no PAM template to use Vmware Vcenter as a identity provider. Would it be possible to help us create such a template?

I don't have the knowledge to do code this myself but I was thinking I could make use of a propagation script that updates entries in bitwarden, I currently only have Bitwarden setup in RDM under My Account Settings which I have used to link credentials into RDM using DPH Bus vaults so I'm assuming this would also need setting up somewhere in DPH too. I would like to have a propagation script for DPH bus PAM Vault entries from EntraID provider that after password rotation would propagate the new password to a matching entry in Bitwarden too (Apologies I do have Devolutions browser extension running but I still end up falling back to Bitwarden in many cases because of its Android features such as its accessibility functionality for on page or app filling )?

Is it possible to have a RDM write a password checked out in PAM to a Yubikey slot? This would be useful for technicians who need to use their administrator account to install or uninstall software that requires Windows UAC credentials, but our org has UAC setup in a secure environment so we cannot paste a password. If the password was stored on the Yubikey, it can be touched to fill in the password. Currently, we are manually copying the password to the Yubikey slot, but if this can be automated during checkout it would be more efficient. **EDIT** I said OTP, I meant Static Password option in Yubikey. My apologies