Active Directory Synchronization

In the Tools menu, choose Active Directory Synchronization to start the wizard of the same name. The Active Directory synchronization is required if you would like your users to log in on the Enterprise Server through Single sign-on (SSO). In this case, users will log in on the server using their Windows NT credentials. To do so, however, the Active Directory synchronization is mandatory in any case.

NOTE: In version 14 the WinNT provider was replaced by a more powerful LDAP provider. In addition to that, the functionality of the Active Directory synchronization was improved and more features have been added to the synchronization wizard.

Password Depot also supports nested AD security groups.

WARNING: If group A is a member of group B and group A is imported via the built-in AD synchronization wizard, group B and its users will also be imported (if not unchecked manually). If any users get unselected, Password Depot will not import the coresponding group but only the selected users.

When you launch the wizard you will first have to provide information about the domain you would like to use for importing users/groups to Password Depot Enterprise Server:

LDAP Path

Enter the LDAP path, domain name or IPv4 address of your AD server to synchronize AD users.

Sign In

  • Sign in as current user: Select this option if you would like to sign in with the current user to start the Active Directory synchronization. The current user is the one you also used for the Windows login. 
  • Use this account: Enter the user name and password of another user who can also read data from the Active Directory of your domain or the domain selected. Usually, it is the domain administrator. Please note that by default the Password Depot server uses the SYSTEM account of the computer/machine it has been installed to (the machine running the Enterprise Server). Therefore, please make sure that any account used for Active Directory synchronization (especially if it is not the current user account) has full read access to the Active Directory of your domain. Otherwise the synchronization cannot be carried out properly.

Additional Options

  • Explorer mode: Using this mode you can browse the existing folders in the Active Directory. A new dialog window will open afterwards and your the Active Directory tree will be displayed. Select the users/groups you would like to import into Password Depot Enterprise Server.
  • Search mode: Use this mode if you would like to search for specific users and groups in the Active Directory.
  • Recursively scan all containers: Use this option if you would like the synchronization wizard to scan the entire Active Directory. Please note that this process may take some time in some cases. Therefore, you should only use this option the very first time after migrating from an older version to the current one since it will reliably replace all WinNT with LDAP paths. If, however, this option is not checked, the wizard will work like a standard Active Directory explorer which means that it will only open the specified object and scan the container afterwards, if expanded.
  • Check deleted objects: If you activate this option, any deleted objects (for example deleted users or groups) are scanned in both the Active Directory and Password Depot Enterprise Server and merged afterwards.
  • Use SSL: You should check this option, if your Active Directory requires SSL.

Click Sign In once all settings are done. If the login was carried out correctly a new dialog window opens displaying the Active Directory tree. Please select all users and/or groups you would like to import to or update in Password Depot Enterprise Server. If there are a lot of objects you can filter the view using the corresponding box at the bottom on the left.

HINT: If the filter does not find any users or groups, go back, enable the option Recursively scan all containers and try again.

Next, check the desired users and/or groups and finally, click Synchronize. A new dialog window will open subsequently displaying the synchronization results. 

NOTE: In general, Password Depot server cannot work with OUs. Although those groups are displayed in the synchronization wizard only Active Directory objects such as "Users" or "Groups" can be used for server synchronization. 

HINT: You can now synchronize users and groups individually with Active Directory. To do so, select the corresponding user or group and click Synchronize in the Server Manager on the right afterwards.

NOTE: If you would like to know which settings are required for both the Server Manager and client in order to use the Integrated Windows Authentication (SSO) to log in on the Enterprise Server, please read the following knowledge base article carefully: Single sign-on (SSO) for Enterprise Server login. Please also note, that the computer which is used for Single sign-on has to be an Active Directory member, otherwise the login will fail. A computer has to be an Active Directory member in order to carry out the Integrated Windows Authentication at all. When synchronizing Active Directory users with the Enterprise Server, Password Depot does not "know" and save the user passwords to the server but moreover, during authentication, the password which is entered by a user is sent to the Active Directory and Password Depot will get a notification if the entered password is either valid or wrong. Therefore it is mandatory in any case that the computer which is used for login is also a domain member.