Skip to main content

How To - Create AD Just-in-Time Accounts (Active Directory)

  • Updated

Introduction

Just-in-time (JIT) accounts are a feature that temporarily enables a privileged account. With JIT accounts, you can be assured that they will be automatically disabled, removed from the privileged security group, and their passwords rotated upon expiry, making them highly secure.

Each JIT account is created for an individual, which creates an audit log that can be easily tracked to that person. This also helps ensure compliance by avoiding shared credentials and maintaining the principle of no standing privileges.

CyberQP provides the convenience of directly creating and managing your JIT accounts from the dashboard. As of the latest update to this KB article, the dashboard supports JIT creation in Active Directory accounts, local machine, and Entra ID. Please see the bottom of this KB to find links on how to implement these features.

In this article, we'll walk you through the steps of setting up and using Active Directory sourced JIT accounts.

 

NOTE:  Due to limitations of the .NET framework and the password rotation requirements for these accounts, Server 2008 R2 is not supported. Just-in-Time (JIT) AD accounts are not compatible with Server 2008 R2 Domain Controllers. 

 

Prerequisite

  • Machines must have the latest CyberQP agent installed
  • Just-in-time feature has been enabled in tenant settings according to - Enabling Just-in-time privileged accounts feature for QGuard
  • Active QGuard Pro subscription
  • Signed in with a Primary or Super role technician user, or a technician user that is part of a CyberQP Technician Group granted access to a JIT Policy

 

Creating an AD JIT account from the Dashboard

  1. Navigate to a customer
  2. Click Just-in-time Accounts in the sidebar
  3. Click Activate JIT Account
  4. Click Active Directory
  5. Adjust the Username if needed (NOTE: Username edit is only available during initial creation)
  6. Set Duration the account should be enabled
  7. Provide a Reason for the creation of the JIT account (NOTE: Currently, entry of an URL in the reason field is not supported)
  8. Select the desired JIT Policy to use
  9. Click Activate



 

Re-enable a Previously AD Created JIT Account from the Dashboard

  1. Open a Customer
  2. Click Just-in-time Accounts in the sidebar
  3. Locate the JIT account that you wish to re-enable
  4. Click the three-dot menu > Enable Account
  5. Provide a Reason and set the Duration
    1. NOTE: If a different JIT Policy is desired, click the Pencil Icon inside the Select JIT Policy box and select the desired JIT Policy



Other Articles

Related articles

Comments

0 comments

Please sign in to leave a comment.