Set Up and Use Windows Login Integration
LastPass can invisibly integrate with the standard Windows Login process to automatically create new users and sign existing users in. To do this, we install a DLL that hooks the Windows login flow using sanctioned/standard Windows protocols. When we receive the password, we hash it and then use the hash to create the user’s LastPass credentials. We never store anything on disk and are careful to not leave anything in memory.
With Windows Login Integration, users within the LastPass Enterprise system will be provisioned using their Windows username followed by the @companydomain.com address that your Enterprise uses. Users that are new to LastPass will be created upon the first time they log in to their Windows domain once the integration setup is complete. From that point on, users will log in to the Windows domain as they normally would, and will automatically be logged into LastPass as well.
Topics in this article:
Admins can download their preferred installer and set up the Windows Login Integration as follows:
- Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
- Go to Settings > Install Software.
- Use the drop-down menu to select Microsoft Windows (Vista or greater) as the platform.
- Select either 64bit or 32bit as the architecture.
- Select either Automated silent install or MSI file as the installation type.
- Select Yes for the Windows Login Integration option.
- Select either Yes or No for requiring the filling of fields in Windows Applications.
Note: If you select No, the LastPass for Applications software will still be installed, but the ability to use Form Fills will not be included.
- Depending on the selections you've chosen, you can click the hyperlink of the Windows LastPass Installer download file.
- Follow the remaining instructions on the Install Software page of the Admin Console, as the steps will vary depending on the selections you've made.
After the Windows Login Integration setup is complete, users can link their Windows account with LastPass when they log in for the first time.
- Log in to your Windows account.
- Once logged in, the LastPass for Applications window appears with your pre-populated username (company email address). If the username is incorrect, change it in the Work Email field.
- Check the box to agree to Terms of Service and Privacy Statement, then choose 1 of the following options:
- Activate My LastPass Account – If you do not have a LastPass account, select this option to create your new account with the provided company username.
- I Already Have a LastPass Account – Select this option to map your existing LastPass account to your Windows user name. When prompted, fill in your Windows Username, LastPass Email, and LastPass Master Password, then click OK.
- That's it! Your account is now active, and the LastPass icon in the system tray will turn red indicating you are now logged in to LastPass.
If LastPass detects a mismatch between your Active Directory password and your LastPass Master Password, an error message is displayed indicating the mismatch. To resolve this issue, you will need to either change your LastPass Master Password or Active Directory password.
What happens if a user’s Windows username and company domain address that is used to log in outside of the work environment does not match with an existing e-mail address?
- If the Windows "firstname.lastname@example.org" address does not match with an existing email address, upon first logging into the account the user will be prompted to set a security email address which will be used for all communications regarding LastPass, and can be changed at any time.
How do I make sure my LastPass Master Password changes when my Active Directory/Windows password changes?
- If you change your Windows password on the computer where the Windows Login Integration has already been set up, the change is captured and the Master Password is also updated. To ensure the change is captured, you will need to be in an active LastPass session and change the Windows password on the local machine that has Windows Login Integration enabled. If the Windows password change takes place on another machine (i.e., the admin changes the password for the user), the Master Password and Windows password will be out of sync. In this case, the user will need to manually change their Master Password to match their Windows password.
What happens if the user already has a LastPass Account under their company e-mail address?
- If the username and password for the LastPass account are the same as the Windows login and password, LastPass will attempt to log in using these credentials.
What happens if the user's Windows password is not the same as the password for the pre-existing LastPass account?
- The user will see a pop-up from LastPass icon in the system tray with the message, “Login failed, does your Windows password match your LastPass password?”
What should the user do if their existing password does not match the Windows password?
- The user will need to log in to LastPass using their existing Master Password, then manually change their Master Password to match their Windows password.
Could a user continue to use two different passwords for Windows login and LastPass login?
- Yes, a user could continue using two different passwords, one to log in to Windows, and another to log in to LastPass. The AutoLogin to LastPass when logging into Windows would continually fail, though, and this would largely defeat the purpose of Windows Login Integration.
If you delete Windows domain login can manually login to your LastPass account?
- Yes, you can also manually log in to your LastPass account using your LastPass username and Master Password.
Can you log in anywhere using your LastPass credentials?
- Yes, you can always use your LastPass credentials to log in to your account and gain access to your data.