HELP FILE

Set Up the LastPass Active Directory Connector

The LastPass Active Directory Connector (AD Connector) sync client is a Windows service that is run locally and can be downloaded from the Admin Console within your LastPass Enterprise account. It connects to your Active Directory environment to support a variety of provisioning and management processes in LastPass Enterprise.

Note: Please do not install the Active Directory Connector on your domain controller.

If desired, you can set up Active Directory Federation Services (AD FS) in your LastPass Enterprise account to allow your users to utilize their Active Directory credentials when logging in to LastPass.

Topics in this article:

System requirements

Install the Active Directory Connector

Configure the Connection settings

Configure the Actions settings

Configure the Sync settings

Configure proxy settings

Debug

System requirements

To install the Active Directory Connector, your local environment must meet the minimum requirements below.

Note: System requirements may vary depending on your Active Directory environment.

Processor Intel Core Duo
Operating System
  • Windows 8.1 (x64) or later
  • Server 2012 R2 (x64) or later

*Operating system must have .NET Framework 4.5.2 or later installed

Memory 8 GB of RAM
Disk Space 500 MB or more
Bandwidth Consumes 200 Mbps or more per day
Software LastPass Active Directory Connector desktop app

Install the Active Directory Connector

Note: Please do not install the Active Directory Connector on your domain controller.

First, you will need to install the AD Connector, as follows:

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Go to SettingsDirectory integrationsDownload AD Connector.
  3. When prompted, click Save, then Run then LastPassADConnector.msi file. If prompted by User Account Control, click Yes to allow.
  4. On the LastPass AD Connector Setup Wizard, click Next.
  5. Check the box to enable the "I accept the terms in the License Agreement" option, then click Next.
  6. Confirm your desired installation path, then click Next.
  7. Click Install. If prompted by User Account Control, click Yes to allow.
  8. When the installation is complete, click Finish. If prompted by User Account Control, click Yes to allow.
  9. Once installed, a login prompt will appear.  Log in with your LastPass Enterprise admin email address and Master Password, then click Login.

Configure the Connection settings

Next, you must configure the connection between LastPass and your Active Directory by entering the following information:

  • Connection configuration – Domain or server (e.g., lpadsync) or a domain controller to connect to instead of a domain (e.g., lp-adsync-dc01.lpadsync.local)
  • Credentials – Current user login credentials or a specific set of user credentials
  • Base DN – Automatically discover or specify a BaseDN. This is the root node under which all of your relevant user and group objects are located. For optimal performance, it is recommended that all relevant users and their embedded groups be located under the specified BaseDN.

When finished, click Next to configure the Actions settings.

Configure the Actions settings

Once your Connection settings are configured, you will then configure your Actions settings to specify what actions should be performed when specific events happen to users in your Active Directory.

Note: It is recommended to use the "disable" account option instead of "delete" to prevent unwanted actions against user accounts (i.e., full Vault data loss for a deleted user).

Choose from the following options:

When a user in Active Directory is detected:

  • Add the user in the Enterprise Console, but require approval – This will sync users between your Active Directory and LastPass, but will place them in a "pending" status (and require manual approval for each) instead of immediately creating an account for each user.
  • Automatically create user in LastPass – This will automatically create accounts for every new user, and send them an automated Welcome email containing a temporary password, and instructions to create their individual Master Password. WARNING! This option must be selected if you are provisioning federated users via the LastPass Enterprise integration with Active Directory Federation Services (AD FS).
  • Do nothing – No action will be taken.

When a user in Active Directory is deleted:

  • Administratively disable the LastPass account – This will free up the user seat to be distributed to another user, however, the user account will continue to exist within your LastPass Enterprise account, and the user will be unable to log in and use LastPass unless they are re-enabled.
  • Remove from Enterprise account, but do not delete user – This will free up the user seat to be distributed to another user and remove them from your LastPass Enterprise account, however, it will convert the account into a LastPass free user, and all Vault data within the account will remain accessible to the user.
  • Automatically delete their LastPass account – This will free up the user seat to be distributed to another user, however, it will also completely delete the LastPass account and all of the data within the user's Vault.

When a user in Active Directory is disabled:

  • Administratively disable the LastPass account – This will free up the user seat to be distributed to another user, however, the user account will continue to exist within your LastPass Enterprise account, and the user will be unable to log in and use LastPass unless they are re-enabled.
  • Automatically delete their LastPass account – This will free up the user seat to be distributed to another user, however, it will also completely delete the LastPass account and all of the data within the user's Vault.
  • Remove from Enterprise account, but do not delete user – This will free up the user seat to be distributed to another user and remove them from your LastPass Enterprise account, however, it will convert the account into a LastPass free user, and all Vault data within the account will remain accessible to the user.

When a user in Active Directory is removed from group in filter:

  • Administratively disable the LastPass account – This will free up the user seat to be distributed to another user, however, the user account will continue to exist within your LastPass Enterprise account, and the user will be unable to log in and use LastPass unless they are re-enabled.
  • Automatically delete their LastPass account – This will free up the user seat to be distributed to another user, however, it will also completely delete the LastPass account and all of the data within the user's Vault.
  • Remove from Enterprise account, but do not delete user – This will free up the user seat to be distributed to another user and remove them from your LastPass Enterprise account, however, it will convert the account into a LastPass free user, and all Vault data within the account will remain accessible to the user.
  • Do nothing – No action will be taken.

When you have selected all of your Action settings, click Next to configure the Sync settings.

Configure the Sync settings

Once you have configured your Actions settings, you will then configure your Sync settings to specify your fields, groups, and users that you would like to sync between LastPass and your Active Directory.

Note: Users must have an email address listed in Active Directory in order to be synced with LastPass.

Sync configuration:

  • Sync user's full name from AD – This option will sync the full name of each user to appear in LastPass when enabled. By default, LastPass only lists users by their username (i.e., email address).
  • Create groups in LastPass – If a group exists in Active Directory but not in LastPass, enabling this option will create these groups in LastPass. If you are creating groups in LastPass based on your Active Directory, any existing groups in LastPass will be removed and replaced with the specified Active Directory Groups.
  • Sync search interval – This will force the AD Connector to check for and make changes in a cycle according to the designated time interval (between 5-3600 seconds).

Filter users based on group membership:

  • You can click on Browse and Search to easily navigate within your connected Active Directory groups, and select only the groups that you'd like to sync. If you have added user group(s) that you decided you don't want to sync, click to select the group, then click Remove selected groups.
  • You can also limit which users are added to your Enterprise by specifying a sync filter within the AD Connector. This field should be populated with the DN string of the group you’d like to filter. A good source for an accurate DN string is through the use of the ADSI Edit tool. When adding multiple groups to sync filters, use the full DN strings in the following format:

CN=LastPass,OU=Groups,OU=USA,DC=yourdomain,DC=com|CN=LastPass2,OU=Groups,OU=USA,DC=yourdomain,DC=com

User memberships:

  • Sync all group memberships – This will sync all user groups within your Active Directory with your LastPass Enterprise account.
  • Use whitelist to filter groups – Use Browse or Search to locate and select an umbrella group which directly contains the groups to be synced, however, the selected umbrella group itself will not be whitelisted.
  • Include nested groups – Check the box to enable this option if you want all sub-groups within a group to be included while syncing (e.g., if Group A includes Group B and Group B includes Group C, then Groups A, B, and C will be included). This allows you to consolidate user accounts, remove duplicate access, and automatically give site or shared folder access to nested groups.
  • Sync only the groups specified in the Filter users section – Please use this setting with extreme caution. This option will only sync users within the groups specified in the Filter users based on group membership list you specified. If a user in your Active Directory loses membership in all specified groups, the disable/delete action you specified in your Actions settings is triggered, and could result in disabling or deleting users outside of your selected groups. For this reason, it is highly recommended that you select a group set that includes all users that should be synced to avoid unwanted actions when enabling this setting. Note: Ensure that all relevant users, groups, and sub-groups are all located under the selected BaseDN you specified in your Connection settings.
  • Do not sync group memberships – This option will not sync any user groups within your Active Directory with your LastPass Enterprise account.

Excluded Groups:

  • Use regular expressions to skip subgroups – If you have enabled the Sync all group memberships option, you can create a blacklist to ensure specified group(s) won't be synced by entering the regular expression (i.e., specific group name in your Active Directory). If there is a match for the given regular expression, then that group (and sub-groups if the "Include nested groups" option is enabled) won’t be synced with your LastPass Enterprise account.

Additional attributes to sync:

  • Comma separated list – Here you can specify an Active Directory user attribute name (e.g., sAMAccountName) that you'd like to sync with your LastPass Enterprise account.

When you have selected all of your Sync settings, click Next to configure the Debug settings.

Configure proxy settings

Proxy settings can be configured per executable, for all .NET apps, or per user by using IE settings. The UI can use Kerberos authentication with the credentials of the currently logged in user (must be a domain user), the service with the credentials of the machine (must be connected to the domain). It’s not enough to change the settings for just the currently logged in user, because only the AD Connector runs as the currently logged in user and the sync service runs as NT AUTHORITY\SYSTEM.

For detailed instructions, you can validate your proxy settings.

Debug

You can configure your Debug settings for troubleshooting AD Connector syncing issues.

Logging options:

  • Logging level – Use the drop-down menu to select 1 of the following log types:
    • Error
    • Warning
    • Info (default)
    • Debug
    • Trace
  • Maximum number of 100MB log files (5-90) – Select the desired amount of space you'd like to be occupied by the log files.

Clear local cache:

  • Click Clear local cache to manually clear the group and user data that is stored locally by default (should be used if you need to restore your Active Directory from a backup.
  • Click Open log folder to open Windows Explorer and navigate to C:\ProgramData\LastPass to select your ADConnector.log file and send it to support@lastpass.com if you need support or encounter issues using the LastPass AD Connector.

When finished, click Finish, then go to Home and check the "Enable" box to begin syncing.