Configuring AD Sync in a Workgroup Environment (Unsupported)

As of Agent v4.2, the unsupported AD Sync in a Workgroup Environment is no longer possible - the below instructions for earlier agents may or may not work depending on your environment.

Configuring the AD Sync in a Workgroup Environment is a non-standard setup and is unsupported. The below information is provided on an as-is basis to assist with setting up the configuration which should allow the sync to work, but there is no guarantee it will.


In order for the agent to work, the system requires:

  • 64-bit OS
  • Windows 10 or Windows Server 2008R2 or newer
  • TLS 1.2. More information on which versions of windows server support which TLS protocols can be found in this Microsoft article: Support for SLL/TLS protocols on Windows.
  • C++ 2015 Redistributable (64-bit version)and .NET 4.5 installed on target device.
  • The Administrator account must be uniquely named on each computer in the Workgroup (in order to prevent duplication/reset issues between them). We recommend apending each with the computer name. Example: Admin_PC001

    User accounts cannot be used on more than one computer in the workgroup (to prevent mismatches/duplication/reset issues).

Non-Domain System Setup Instructions

The Active Directory sync is a tool that allows you to monitor or administrate passwords on an active directory server. The tool will run as a service on the server and periodically sync with Passportal. The sync runs on one client to one server relationship.

In a Workgroup environment, this process becomes a bit more manual and time-consuming but is generally possible if the below conditions are met:

  1. Ensure the Client exists in Passportal, and has Windows Sync enabled.
  2. When importing or manually adding the account credentials in Passportal
    • Ensure the username is entered as machine\username
    • For shared accounts across multiple windows machines, omit the machine name in the password username entry
    • Once the credentials are present in Passportal, you will need to enable Windows Sync for each one individually within the client:
      1. Click Edit Password in the Actions column of the Credentials List.
      2. Select Enabled in the Windows Sync drop-down menu (This option is only present when the client has Windows Sync enabled).
      3. Click Save.

You may encounter unexpected behavior with multiple agents pointing to one client folder. This can be a problematic if identical user names exist on two (or more) computers with agents running on them, pointing to the same client in Passportal.

AD Setup Step-by-Step Guide

AD sync is set by default to update the password on the system with the agent installed if it is changed in Passportal. However, this can be changed at the password level (individual passwords may have their own settings).

The two modes are:

  • Report Mismatches: This mode is a passive monitoring mode. It will attempt to match username/password pairs in Passportal with their equivalent usernames and passwords on the server. If there are any discrepancies (such as the password being changed serverside) then the tool will flag that password entry. The flag will appear on the password, the client and on the dashboard prompting Passportal users to change the password.
  • Change Password: This mode directly changes passwords on the server. When a password mismatch is detected it will change the active directory password to match the password in Passportal. This allows Passportal users to push password changes to the server and directly manage the passwords on that server.


  1. Create or edit a client, and enable Windows Sync.
  2. Notable Options:

    • Two-Way Sync: This will allow password changes on the local workstation to be propagated up to Passportal.
    • Once you've installed the agent, the system will require a reboot in order for the Two-way sync to function. This does not need to be done immediately following the install - the reboot should take place at a time suitable for the client.

    • Auto Create Users as Passwords: When selected, any users created or edited on the local machine that are not already in Passportal will be automatically created when a Create or Edit of the user occurs.

  3. Edit the client to enable Windows Sync, and download the Windows Agent.
  4. Once the Windows Agent has been downloaded, transfer the installer to the local computer(s) and launch the installer using Setup.exe.
  5. Click Next.
  6. Read the License Agreement, click the I Agree radio button, and then click Next.
  7. Accept the default target Install Folder or enter a preferred location. Leave the Everyone radio button selected. Click Next.
  8. Select the Windows Agent radio button and then click Next.
  9. Enter the Loop Back IP Address ( as the Primary Domain Controller IP address (and the Listener Port number if not using the default port 7771), and then click Next. Each computer is considered it's own DC in this kind of setup.
  10. Confirm the Install by clicking Next.
  11. The Windows Agent will now install. Once completed, you will be prompted to reboot to enable 2-Way Password Sync. This does not need to be done immediately, and clicking OK will not cause a reboot to happen. Please ensure the computer is rebooted at a suitable time. Click Close in the main dialog, to close the installer.
  12. The Windows Agent application will launch, to continue with its configuration. Authenticate with your Passportal login details. Once you have entered your details, you will see a message advising you have Successfully Authenticated. Click Refresh next client to populate the dropdown menu with the clients in Passportal and then select the appropriate client. Click Continue.
  13. The account used for authentication needs to have the Permission Setup AD Sync in order to authenticate.

  14. You are now prompted to create the Local Windows Service Account which is used to run the Passportal and PassportalUpdater services. Enter an appropriate name for the service, such as PassportalSync. Also enter a password for the account or click Random to generate a random password. Enter the local hostname in the Domain field. Click Save and Start Agent. You can use an already existing local account, but it must have local administrative rights.
  15. The Domain detail may auto-populate with either the workgroup name, or the local hostname, amend this if required.

  16. If the Windows Service Account does not exist on the computer, you will be prompted to create it. Click Yes to do so.
  17. When the account has been created you will receive message advising Passportal Windows Services were restarted successfully. You may close this window. Click Close to complete the setup on the Domain Controller.
  18. Once the Windows Agent has been installed, we recommend to confirm the newly created Windows Service account has been populated into Passportal.
  19. Once the service account has been created you can verify that the Passportal agent is working by going to services and ensuring the Passportal services are running.
  20. You can start adding credentials into Passportal manually or by selecting the Auto-Create Users as Passwords option (which creates a credential in Passportal following a change or creation event).
  21. Repeat on each computer in the workgroup.