Import from Active Directory

In the Tools menu, choose Active Directory Import to start the import wizard. The Active Directory import is required if you would like your users to log in on the Enterprise Server through Single Sign-On (SSO). In this case, users will log in on the server using their Windows NT credentials. However, to do so, the Active Directory import is mandatory.

NOTE: The WinNT provider has been replaced by a more powerful LDAP provider. In addition, the functionality of the Active Directory import has been improved and more features have been added to the wizard.

Password Depot also supports nested AD security groups.

WARNING: If group A is a member of group B and group A is imported via the built-in AD import wizard, group B and its users will also be imported (if not unchecked manually).

When you launch the wizard you will first have to provide information about the domain you would like to use for importing users/groups to Password Depot Enterprise Server:

LDAP Path

Enter the LDAP path, domain name or IPv4 address of your AD server to synchronize AD users.

  • Protocol dropdown: Select the desired protocol from the dropdown list to the left of the input field. The available options are LDAP:// (default) and GC:// (Global Catalog, for searching across multiple domains within a forest).
  • Connection field: Enter the path in the input field, e.g. DC=mydomain,DC=com. The field stores up to 10 previously used entries and automatically suggests the default naming context of your domain.

Sign In

  • Sign in as current user: Select this option if you would like to sign in with the current Windows user to perform the Active Directory import. The current user is the one you also used for the Windows login.
  • Use this account: Select this option to specify a different user for the AD import. Two additional fields are enabled:
    • User name: Enter the user name of the account that has read access to the Active Directory. Usually, this is the domain administrator.
    • Password: Enter the corresponding password.

    NOTE: By default, the Password Depot Enterprise Server uses the SYSTEM account of the computer on which the server is installed and running. Therefore, please make sure that any account used for the Active Directory import (especially if it is not the current user account) has full read access to the Active Directory of your domain. Otherwise the import cannot be carried out properly.

Additional Options

  • Explorer mode: Using this mode you can browse the existing folders in the Active Directory. A new dialog window will open and your Active Directory tree will be displayed, allowing you to select the users/groups you would like to import.
  • Search mode: Use this mode if you would like to search for specific users and groups in the Active Directory by name and description. The search results are displayed in a list with checkboxes.
  • Recursively scan all containers: Use this option if you would like the wizard to scan the entire Active Directory. Please note that this process may take some time in some cases. Therefore, you should only use this option the very first time after migrating from an older version to the current one since it will reliably replace all WinNT with LDAP paths. If this option is not checked, the wizard will work like a standard Active Directory explorer, meaning it will only open the specified object and scan the container when expanded.
  • Check deleted objects: If you activate this option, any objects (e.g. users or groups) that have been deleted in the Active Directory are detected and compared against the entries in Password Depot Enterprise Server. If deleted objects are found, an additional step is displayed after the selection (see below).
  • Use SSL: Check this option if your Active Directory requires SSL.

Click Login once all settings are configured.

Selecting Users and Groups

If the login was successful, the corresponding window is displayed depending on the selected mode:

  • Explorer mode: The Active Directory tree is displayed with checkboxes. The columns Name, Type, Department, and Description show details for each object. If there are many entries, you can narrow the view using the Filter field at the bottom left. You can also use the Invert selection function to toggle all checkboxes.
  • Search mode: Enter a search term in the Name and/or Description field to find the desired users and groups. The results are displayed in a list where you can check the desired entries.

HINT: If the filter does not find any users or groups, go back, enable the option Recursively scan all containers and try again.

Select the desired users and/or groups by checking the corresponding checkboxes. Then click Import.

Handling Deleted Objects

If the Check deleted objects option was enabled and objects were found that have been deleted in the Active Directory but still exist in the Enterprise Server, an additional window is displayed. For each affected object, you can choose one of the following actions:

  • Ignore: The object remains unchanged in the Enterprise Server.
  • Disable: The object is disabled in the Enterprise Server but not deleted.
  • Delete: The object is permanently removed from the Enterprise Server.

Select one or more entries and click the desired action button. Then click Import to proceed.

Import Results

After the import is complete, the results are displayed in a summary view. For each imported or updated user or group, the status is shown (e.g. "Added successfully" or "Updated successfully"). Click Close to exit the wizard.

NOTE: In general, Password Depot Enterprise Server cannot work with OUs (Organizational Units). Although those are displayed in the import wizard for convenience, only Active Directory objects such as Users or Groups can be used for server synchronization.

HINT: You can now synchronize users and groups individually with Active Directory. To do so, select the corresponding user or group and click Synchronize in the Server Manager on the right.

NOTE: If you would like to know which settings are required for both the Server Manager and client in order to use the Integrated Windows Authentication (SSO) to log on the Enterprise Server, please read the following support portal article: Single sign-on (SSO) for Enterprise Server login. Please also note that the computer used for Single Sign-On has to be an Active Directory member, otherwise the login will fail. A computer has to be an Active Directory member in order to carry out the Integrated Windows Authentication. When synchronizing Active Directory users with the Enterprise Server, Password Depot does not "know" the user passwords and does not store them on the server. During authentication, the password entered by a user is sent to the Active Directory and Password Depot receives a response indicating whether the password is valid or invalid. Therefore, it is mandatory that the computer attempting to log in is also a domain member.