You can configure Dashlane to automatically sync Active Directory (AD) users and groups for automated provisioning and deprovisioning of Dashlane accounts.
If you would like your users to use SSO to sign in, we recommend configuring that first. Get started here.
Content
Video walkthrough
This video provides a detailed walkthrough of configuring Dashlane to automatically sync Active Directory (AD) users and groups for automated provisioning and deprovisioning of Dashlane accounts.
Create an AD group and service account
- Log in to a Windows Server with the Active Directory Users and Computers module.
- Create or identify a group whose members you would like to invite to your business plan. If no group exists, we recommend creating an "AllDashlaneUsers" group.
- Add at least one AD user with an email address to the group.
- Create an Active Directory user that you will use to run the sync script, commonly referred to as a service account. In the example video, we create the "SA_DashlaneSync" service account.
- Add the service account to the local administrators group so it can log in to the machine and run PowerShell scripts.
- Log in as the newly created service account.
Configure the Admin Console
To configure your account for AD synchronization:
- Log in to the Admin Console.
- Select Settings and then Active Directory.
- Turn on Automatic user provisioning and group syncing.
- Once you have verified the sync and that all current Dashlane users are in the scope of the sync, consider turning on Automatic user deprovisioning.
- Click Copy to copy the Dashlane AD script displayed in the gray window to your clipboard.
Configure Active Directory and the sync script
- Log in to a Windows Server or workstation with Windows PowerShell 3.0 or later with the service account we created earlier.
- If you have not done so already, create or identify an Active Directory Security Group that you would like to sync to Dashlane.
- We recommend creating a new group called AllDashlaneUsers to start.
- Add users to the group you would like to have Dashlane accounts.
- Open PowerShell ISE and click File and then New.
- Paste the script saved on your clipboard from Step 4 in Configuring the Admin Console.
- Edit line 21 of the script and enter the group names you want to sync to Dashlane.
- Save the PowerShell Script to the local machine.
- Run the Script by clicking the green arrow in PowerShell ISE.
- Ensure the script returns the following: "code":200,"message":"OK"
- Copy the text string between the dashes to your clipboard.
- Navigate back to the Admin Console and Refresh the page.
- In the Verify security key pop-up, click Continue.
- Enter the text string from your clipboard you copied from step 10 into the text field, and click Verify now.
Verify the sync
- In the Admin Console, view the Users tab and validate that any new users have an Invite pending status.
- On the Groups tab, view the groups that have synced.
- To view your AD sync status in the Admin Console, select Settings and then Active Directory.
- After confirming that all synced users are included in the Active Directory sync groups, we recommend turning on Automatic user deprovisioning.
Schedule a regular sync with Task Scheduler
With the script saved to your domain, you can schedule it to run automatically at an interval you define.
Note that the user account set to run this task must be able to read Organizational Units (OU's) and user accounts in your Active Directory environment.
- Ensure you are logged in under the same service account you used to run the initial sync.
- Scheduling this to run with a different account will not work because the sync key generated is derived from the machine and user used for the sync and needs to remain the same.
- On the Windows Server that will run the script, open Task Scheduler.
- Select Task Scheduler Library.
- Click the Action tab in the top left menu.
- Click Create Task.
- Click the General tab.
- In the Name text box, type Dashlane AD Sync.
- Select Security Options.
- Within Security Options, check the boxes for Run whether user is logged in or not and Run with highest privileges.
Please set a schedule for the script to run by creating a new trigger. In the following example, it will run daily at 1:00 a.m.
- Click the Actions tab.
- Click New Action.
- Under Program/script, type the following: powershell
- Under Add arguments (optional), paste the following:
-file C:\FilePathtoPowershellScript\dashlane-ad-sync.ps1
Some considerations
- Once you've configured sync, we recommend managing your Dashlane groups and users exclusively via your Active Directory.
- All users considered by the script must have a specified email address in Active Directory.
- Admins cannot deprovision all admin users because every business plan must have at least one active admin.
- Admins cannot deprovision all billing admins because every business plan must have at least one active billing admin.
- The number of users in the synced groups must not be higher than the available seats in your account.
Users-only sync
To sync only the AD group members and not create a Dashlane sharing group, edit lines 124 and 125 of the AD sync script.
Example:
Before the change to line 124 and 125:
$DataStr += $GroupInfo.ObjectGUID
$DataStr += $GroupInfo.Name
After the change to line 124 and 125:
$DataStr += $GroupInfo.Sync_Users_Only
$DataStr += $GroupInfo.Sync_Users_Only
Error messages
Error Message 400
Dashlane sync responded with the following: {"code":400,"message":"Bad Request"}
To resolve the error:
- Ensure you are not attempting to sync more users than you have purchased seats.
- Ensure the Active Directory Module for Windows PowerShell is installed.
- Ensure you have configured HTTPS security settings or have opened Internet Explorer and gone through the first-run configuration wizard.
- Ensure at least one user with an email address is in the Active Directory group you are attempting to sync.
No Directory sync key is showing up
To resolve the error:
- In your PowerShell script, change the DashlaneDirectorSyncKey## variable to a new number to force a new sync key.
- Save and run the script.
Example:
Before the change to line 104 (may be a few numbers off depending on how many groups you have):
$CspParameters.KeyContainerName = "DashlaneDirectorySyncKey53"
After the change to line 104:
$CspParameters.KeyContainerName = "DashlaneDirectorySyncKey54"
Error Message 403
Dashlane sync responded with the following: {"code":403,"message":"Forbidden"}
To resolve the error:
- Log in to the Admin Console.
- Select Settings and then Active Directory.
- Enable automatic user and group provisioning.
Error Message Error member_removal_over_limit
The AD sync script has a built-in limit that prevents accidental mass user offboarding. On occasion, mass user offboarding is necessary, so you will need to increase the limit of users you can offboard from your plan.
To resolve the error:
- In your PowerShell script, add a ";removalLimit=###" to the end of the following line (around line 155) and manually run the script.
Example: This example offboards 100 users with the sync script.
Before the change around line 155:
After the change of the removal limit to 100 users, allowing the removal of up to 100 users:
$Payload = @{adLogins=$FileContentEncoded;adToken=$INSTALL_TOKEN;teamId=$TEAM_ID;signature=$SignatureHash;publicKey=$PublicKeyHash;removalLimit=100}
After your users are offboarded via the sync, consider removing the added text to set it back to the default setting, which is 10 users or 5% of all users, whichever is greater.