Vault AD secrets engine dynamic?

Does the AD secrets engine dynamically create and remove/delete accounts? From what I have been able to read online it sounds as though it will create accounts but will subsequently rotate the password as the means of revoking access once any leases have expired.
It sounds from reading the available info on the AWS secrets engine that credentials are dynamically created and destroyed. Is the behaviour different with the AD secrets engine?


It presently doesn’t create accounts. That’s why each AD role needs to be mapped to a pre-existing service account in AD. It’s a feature we’d like to do in the (hopefully near) future, but it doesn’t do that today.