Active Directory Integration
AD Sync schedule
The Active Directory sync with Passportal takes place every 45 seconds once enabled.
AD Sync Overview
The Windows Agent allows you to sync and manage your Active Directory credentials within Passportal. This allows you to enable automatic Password Rotation as well as other options. The Windows Agent is also used to setup Blink users within Passportal.
The Windows Agent can be downloaded from 2 locations.
- From within the Edit Client menu, next to the Windows Sync toggle.
- From Settings > Downloads > Download - Passportal Agent.
The following gives a brief description of each of the toggles within the Windows Agent Settings.
- Rotation Policy: If you enable rotation policy, you can determine how frequently passwords will be rotated. If the password is synced with Active Directory, and rotation is enabled, the password will be randomly generated and applied to the password, then synced down to Active Directory.
- Windows Sync: When you enable Windows Sync, this allows you to select this client when configuring the Windows Agent.
- Agent Key: The Agent key is required to install the AD Sync Agent - this is only accessible if the user has the Setup AD Sync permission
- Unlock Windows Accounts on resets: When an Active Directory Account is locked, if the end user performs a Blink User Reset, their account will become unlocked.
- Auto Restart Updates Services: When an Active Directory Account password is changed if there are Services that are running from this credential the services will be restarted automatically.
- Auto Create Missing Windows Users: When you create a password within Passportal, if the account does not exist in Active Directory this will create a Domain User with the username/password assigned in Passportal.
- Auto Create Users as Passwords: When you create or change a password within Active Directory it will automatically create this as a Credential within Passportal.
- Update Service Credentials on Network: When a password is changed if the password is running as a Service on a system on the network it will update this Service to use the new password.
- Mute Agent: Enabling the Mute Agent Toggle will disable communication with the Active Directory and Passportal. When Mute Agent toggle is disabled the Passportal and PassportalUpdater services must be restarted for communication to return.
- Two-way Sync: When Two-way Sync toggle is enabled, this will ensure that changes in both Active Directory and Passportal are replicated between one another. If you change a password in Passportal it will sync to Active Directory. If you change a password within Active Directory it will sync to Passportal. When this toggle is disabled sync will be a One-way sync from Passportal down to Active Directory.
- Agent Settings Override Blink Options: When this toggle is enabled, the settings specified on the end users Blink App will not take effect if they are different from the other Blink Toggles mentioned below.
- Require password change on Blink resets: When this toggle is enabled, if a Blink User performs a password reset they will be prompted to change their password at next login.
- Password reset length for blink users: Some companies have strict password limitations. This option allows you to set the default password length generated when performing Blink User Resets.
- Folder Path: Configure to automatically store any new synchronized passwords in the selected folder rather than in the root of the client. This ensures that any sensitive passwords appear in this folder first before moving them elsewhere. For additional security and restrict access, apply multiple security groups to the selected folder. Use in conjunction with the Org Unit Filter to select which Organization Units synchronize to the folder.
- Org Units Filter: Choose the Active Directory Organization Units to synchronize with Passportal. After selection, Passportal only synchronizes with those units included in the filter.
If you enable rotation on an end user password they will not be notified of the new password that is generated.
With Auto Create Missing Windows Users enabled, should you delete a user account in AD, Passportal will recreate it with the last active password within about 45 seconds. Recommendation is to Disable the credential in Passportal before deleting from AD, or just disable it in AD.
You will need to edit this password after creation, and set Windows Sync to Enabled.
Only enable this if you want to record all Active Directory User Credentials within the system. This will not create User accounts in Passportal, Site or Blink.
Org Units Filtering does not apply to default Organizational Unit structures which always synchronize.
Both the Folder Path and Org Units Filter require Agent v4.1.0 or later installed on the Active Directory server and synchronized with Passportal to populate and use the Organization Units list.
The Folder Path and Org Units Filter functions are not compatible with AzureAD due to the one-way sync nature of the integration.