HELP FILE

Configuring the Active Directory Connector

You can configure the following options:

Connection

  • Configure the connection between LastPass and your Active Directory by entering the following information:
    1. In Connection configuration, specify the domain or server (for example, lpadsync) or a domain controller to connect to instead of a domain (for example, lp-adsync-dc01.lpadsync.local)
    2. In Credentials, choose one of the following:
      • Login as current user, to log in with current user credentials.
      • Specify credentials:, to add a username and password for a specific user.
    3. In Base DN, choose one of the following:
      • Automatically discover from my Base DN, to automatically discover a Base DN. This is the root node under which all of your relevant user and group objects are located.
      • Specify Base DN, to specify a Base DN.

      Note: For optimal performance, it is recommended that all relevant users and their embedded groups be located under the specified Base DN.

    4. When finished, click Update settings.

Actions

  • Configure your Actions settings to specify what actions should be performed when specific events happen to users in your Active Directory. It is recommended to use the "disable" account option instead of "delete" to prevent unwanted actions against user accounts (that is, full Vault data loss for a deleted user).
    1. In When a user in Active Directory is detected:, choose from the following options:

      Add the user in the Enterprise Console, but require approval
      Sync users between your Active Directory and LastPass, and place them in a "pending" status (and require manual approval for each) instead of immediately creating an account for each user.
      Automatically create user in LastPass

      Automatically create accounts for every new user, and send them an automated Welcome email containing a temporary password, and instructions to create their individual Master Password.

      Warning: This option must be selected if you are provisioning federated users using the LastPass Enterprise or Identity integration with Active Directory Federation Services (AD FS).

      Do nothing
      No action will be taken.

    2. In When a user in Active Directory is deleted:, free up the user license to be distributed to another user with one of the following options:

      Administratively disable the LastPass account
      The user account will continue to exist within your LastPass Enterprise or Identity account, and the user will be unable to log in and use LastPass unless they are re-enabled.
      Remove from Enterprise account, but do not delete user
      Remove them from your LastPass Enterprise or Identity account, however, it will convert the account into a LastPass free user, and all Vault data within the account will remain accessible to the user.
      Automatically delete their LastPass account
      Completely delete the LastPass account and all of the data within the user's Vault.

    3. In When a user in Active Directory is disabled:, free up the user license to be distributed to another user with one of the following options:

      Administratively disable the LastPass account
      The user account will continue to exist within your LastPass Enterprise or Identity account, and the user will be unable to log in and use LastPass unless they are re-enabled.
      Automatically delete their LastPass account
      Completely delete the LastPass account and all of the data within the user's Vault.
      Remove from Enterprise account, but do not delete user
      Remove them from your LastPass Enterprise or Identity account, however, it will convert the account into a LastPass free user, and all Vault data within the account will remain accessible to the user.

    4. In When a user in Active Directory is removed from group in filter:, free up the user license to be distributed to another user with one of the following options:

      Administratively disable the LastPass account
      The user account will continue to exist within your LastPass Enterprise or Identity account, and the user will be unable to log in and use LastPass unless they are re-enabled.
      Automatically delete their LastPass account
      Completely delete the LastPass account and all of the data within the user's Vault.
      Remove from Enterprise account, but do not delete user
      Remove them from your LastPass Enterprise or Identity account, however, it will convert the account into a LastPass free user, and all Vault data within the account will remain accessible to the user.
      Do nothing
      No action will be taken.

    5. When finished, click Update settings.

Sync

  • Configure your Sync settings to specify your fields, groups, and users that you would like to sync between LastPass and your Active Directory.  Users must have an email address listed in Active Directory in order to be synced with LastPass.
    1. In Sync configuration:, choose from the following options:

      Sync user's full name from AD
      Sync the full name of each user to appear in LastPass when enabled. By default, LastPass only lists users by their username (that is, email address).
      Create groups in LastPass
      If a group exists in Active Directory but not in LastPass, enabling this option will create these groups in LastPass. If you are creating groups in LastPass based on your Active Directory, any existing groups in LastPass will be removed and replaced with the specified Active Directory Groups.
      Sync search interval
      Force the AD Connector to check for and make changes in a cycle according to the designated time interval (between 5-3600 seconds).

    2. In Filter users based on group membership:, set the following:

      • You must specify at least one group within this section in order to proceed with the setup process, even if you do not plan on using groups within LastPass. If a group is not specified, you will encounter a "Login failed" error message.
      • Click on Browse and Search to easily navigate within your connected Active Directory groups, and select only the groups that you would like to sync. If you have added user group(s) that you decided you do not want to sync, click to select the group, then click Remove selected groups.
      • Limit which users are added to your business account by specifying a sync filter within the AD Connector. This field should be populated with the DN string of the group you would like to filter. A good source for an accurate DN string is through the use of the ADSI Edit tool. When adding multiple groups to sync filters, use the full DN strings in the following format:

        CN=LastPass,OU=Groups,OU=USA,DC=yourdomain,DC=com|CN=LastPass2,OU=Groups,OU=USA,DC=yourdomain,DC=com

    3. User memberships:

      Sync all group memberships
      Sync all user groups within your Active Directory with your LastPass Enterprise account.
      Use allowlist to filter groups
      Use Browse or Search to locate and select an umbrella group which directly contains the groups to be synced, however, the selected umbrella group itself will not be allowlisted.
      Include nested groups
      Check the box if you want all sub-groups within a group to be included while syncing (for example, if Group A includes Group B and Group B includes Group C, then Groups A, B, and C will be included). This allows you to consolidate user accounts, remove duplicate access, and automatically give site or shared folder access to nested groups.
      Sync only the groups specified in the Filter users section
      Use this setting with extreme caution. This option will only sync users within the groups specified in the Filter users based on group membership. If a user in your Active Directory loses membership in all specified groups, the disable/delete action you specified in your Actions settings is triggered, and could result in disabling or deleting users outside of your selected groups. For this reason, it is highly recommended that you select a group set that includes all users that should be synced to avoid unwanted actions when enabling this setting.
      Note:  Ensure that all relevant users, groups, and sub-groups are all located under the selected Base DN you specified in your Connection settings.
      Do not sync group memberships
      This option will not sync any user groups within your Active Directory with your LastPass Enterprise account.

    4. Excluded Groups:

      Use regular expressions to skip subgroups
      If you have enabled the Sync all group memberships, you can create a denylist to ensure specified group(s) will not be synced by entering the regular expression (that is, specific group name in your Active Directory). If there is a match for the given regular expression, then that group (and sub-groups if the "Include nested groups" option is enabled) will not be synced with your LastPass Enterprise account.

    5. Additional attributes to sync:

      Comma separated list:
      Specify an Active Directory user attribute name (for example, sAMAccountName) that you would like to sync with your LastPass Enterprise account.

    6. When finished, click Update settings.

Debug

  • Configure your Debug settings for troubleshooting AD Connector syncing issues.
    1. In Logging options, choose from the following options:

      Logging level:
      Use the drop-down menu to select one of the following log types:
      • Error
      • Warning
      • Info (default)
      • Debug
      • Trace
      Maximum number of 100MB log files (5-90)
      Select the desired amount of space you'd like to be occupied by the log files.

    2. Clear local cache:
      • Click Clear local cache to manually clear the group and user data that is stored locally by default (should be used if you need to restore your Active Directory from a backup). Learn more.
      • Click Open log folder to open Windows Explorer and navigate to C:\ProgramData\LastPass to select your ADConnector.log file. For additional help, contact LastPass Customer Care by selecting Contact Support at the bottom of this article. Once LastPass Customer Care has responded, attach the log file to your ticket for further investigation.
What to do next:

When finished, click Finish, then go to Home and check the box for Enable sync to begin syncing.

Migration

If you have set up Active Directory Federation Services (AD FS) in your LastPass Enterprise account, the Migration option in the LastPass AD Connector can be used to convert non-federated users to federated user accounts. For detailed instructions, see How do I convert an existing LastPass user to a federated (AD FS) user?

Migration tab of LastPass AD Connector