Passportal Help

Configuring AD Sync in a Workgroup Environment (Unsupported)


In order for the agent to work, the system requires:

  • 64-bit
  • Windows 10 or Windows Server 2008R2 or newer
  • Supports TLS 1.2. More information on which versions of windows server support which TLS protocols can be found in this article
  • If not current or installed, the agent will also deploy C++ and .NET 4.5 or newer during the install.

Non-Domain System Setup Instructions

The Active Directory sync is a tool that allows you to monitor or administrate passwords on an active directory server. The tool will run as a service on the server and periodically sync with Passportal. The sync runs on one client to one server relationship.

In a Workgroup environment, this process becomes a bit more manual and time-consuming but is still possible.

  1. Deploy the agent on each workgroup machine
  2. Creating accounts:
  3. When importing or manually adding the account credential in Passportal:

    1. Ensure the username is machine\username
    2. For shared accounts across multiple windows machines, omit the machine name in the password username
    3. Once the credentials have been created in Passportal, you will need to enable the AD sync per-password within the edit Password slider:
      1. Select Edit Password
      2. In the Windows sync, select "Enabled"

    Using the "Auto-Create Users as Passwords" feature

    1. This will automatically add the machine name if required.

You may encounter a problem with multiple agents pointing to one client folder. This can be a problem if identical user names exist on two computers with agents on them both pointing to the same client in Passportal.

AD Setup Step-by-Step Guide

AD sync is set by default to update the password on the system with the agent installed if it is changed in Passportal. However, this can be changed at the password level (individual passwords may have their own settings).

The two modes are:

  • Report Mismatches. This mode is a passive monitoring mode. It will attempt to match username/password pairs in Passportal with their equivalent usernames and passwords on the server. If there are any discrepancies (such as the password being changed serverside) then the tool will flag that password entry. The flag will appear on the password, the client and on the dashboard prompting Passportal users to change the password.
  • Change Password. This mode directly changes passwords on the server. When a password mismatch is detected it will change the active directory password to match the password in Passportal. This allows Passportal users to push password changes to the server and directly manage the passwords on that server.
  1. Create or edit a client, and enable "AD SYNC".
  2. Options:

    • Two-Way Sync - This will allow password changes on the local workstation to be propagated up to Passportal.
    • Once you've installed the agent, the system will require a reboot in order for the 2-way sync to work

    • Auto Create Users as Passwords - When selected, any users created or edited on the local machine that are not already in Passportal will be automatically created. This will now automatically populate them all, they will require a Create or Edit of the user to trigger this.

  3. Install the AD Agent (Remote Monitor Tool) on the local computer. This can be found under the downloads section on the sidebar or when you're editing a client.
  4. Input information into AD Agent (Remote Monitor Tool)
  5. Enter credentials and Organization Key from any user listed as an Organization Administrator or with the "Setup AD Sync" permission level associated with them.
  6. Click Refresh and choose the appropriate client from the dropdown, then click Continue.
  7. Next, choose a local user name and password for the local machine (can use an existing one or create a new one) This user will be responsible for running the service locally on the system and will require local administrative rights. In Domain enter the local hostname of the workgroup computer you are on.
  8. If you type in a domain admin account that does not exist, the tool will offer to create that account automatically as a user with domain admin rights.

  9. When finished, click Save and Start Agent.
  10. Once the service account has been created you can verify that the Passportal agent is working by going to services and ensuring the Passportal service is running.
  11. You can start adding credentials into Passportal manually or by selecting the "Auto-Create Users as Passwords" option (creates a credential in Passportal following a change or creation event).