Configuring AD Sync in a Workgroup Environment (Unsupported)
As of Agent v4.2, the unsupported AD Sync in a Workgroup Environment is no longer possible - the below instructions for earlier agents may or may not work depending on your environment.
Configuring the AD Sync in a Workgroup Environment is a non-standard setup and is unsupported. The below information is provided on an as-is basis to assist with setting up the configuration which should allow the sync to work, but there is no guarantee it will.
In order for the agent to work, the system requires:
- 64-bit OS
- Windows 10 or Windows Server 2008R2 or newer
- TLS 1.2. More information on which versions of windows server support which TLS protocols can be found in this Microsoft article: Support for SLL/TLS protocols on Windows.
- C++ 2013 Redistubutable and .NET 4.5 installed on target device.
The Administrator account must be uniquely named on each computer in the Workgroup (in order to prevent duplication/reset issues between them). We recommend apending each with the computer name. Example: Admin_PC001
User accounts cannot be used on more than one computer in the workgroup (to prevent mismatches/duplication/reset issues).
Non-Domain System Setup Instructions
The Active Directory sync is a tool that allows you to monitor or administrate passwords on an active directory server. The tool will run as a service on the server and periodically sync with Passportal. The sync runs on one client to one server relationship.
In a Workgroup environment, this process becomes a bit more manual and time-consuming but is generally possible if the below conditions are met:
- Ensure the Client exists in Passportal, and has Windows Sync enabled.
- When importing or manually adding the account credentials in Passportal
- Ensure the username is entered as
- For shared accounts across multiple windows machines, omit the machine name in the password username entry
- Once the credentials are present in Passportal, you will need to enable Windows Sync for each one individually within the client:
- Click Edit Password in the Actions column of the Credentials List.
- Select Enabled in the Windows Sync drop-down menu (This option is only present when the client has Windows Sync enabled).
- Click Save.
You may encounter unexpected behavior with multiple agents pointing to one client folder. This can be a problematic if identical user names exist on two (or more) computers with agents running on them, pointing to the same client in Passportal.
AD Setup Step-by-Step Guide
AD sync is set by default to update the password on the system with the agent installed if it is changed in Passportal. However, this can be changed at the password level (individual passwords may have their own settings).
The two modes are:
- Report Mismatches: This mode is a passive monitoring mode. It will attempt to match username/password pairs in Passportal with their equivalent usernames and passwords on the server. If there are any discrepancies (such as the password being changed serverside) then the tool will flag that password entry. The flag will appear on the password, the client and on the dashboard prompting Passportal users to change the password.
- Change Password: This mode directly changes passwords on the server. When a password mismatch is detected it will change the active directory password to match the password in Passportal. This allows Passportal users to push password changes to the server and directly manage the passwords on that server.
- Create or edit a client, and enable Windows Sync.
- Two-Way Sync: This will allow password changes on the local workstation to be propagated up to Passportal.
- Auto Create Users as Passwords: When selected, any users created or edited on the local machine that are not already in Passportal will be automatically created when a Create or Edit of the user occurs.
Once you've installed the agent, the system will require a reboot in order for the Two-way sync to function. This does not need to be done immediately following the install - the reboot should take place at a time suitable for the client.
The account used for authentication needs to have the Permission Setup AD Sync in order to authenticate.
The Domain detail may auto-populate with either the workgroup name, or the local hostname, amend this if required.