Articles in this section

Active Directory Integration

Dashlane can be configured to automatically sync Active Directory (AD) users and groups for automated provisioning and deprovisioning of Dashlane accounts.

If you would like your users to use SSO to sign in we recommend configuring that first. Get started here.

Content

  1. Video walk-through
  2. Create an AD Group & Service Account
  3. Configuring the Admin Console
  4. Configuring Active Directory and Sync script
  5. Verifying the Sync
  6. Scheduling regular Sync with Task Scheduler
  7. Some considerations
  8. Users Only Sync
  9. Error messages

Video walk-through

Create an AD Group & Service Account

  1. Login to a Windows Server that has the Active Directory Users and Computers module.
  2. Create or identify a group who's members you would like to invite to your business plan. If no group exists we recommend creating a group named 'AllDashlaneUsers'.
  3. Add at least one AD user with an e-mail address to the group.
  4. Create an Active Directory user that you will use to run the sync script, commonly referred to as a service account. In the example video we create "SA_DashlaneSync"
  5. Add the Service account to the local administrators group so it has the ability to login to the machine and run Powershell scripts.
  6. Login as the newly created service account.

Configuring the Admin Console

To configure your account for AD synchronization, follow the steps below:

  1. Log in to your Admin Console by going to http://console.dashlane.com
  2. Click Settings > Active Directory 
  3. Select the option to enable "Automatic user provisioning and group syncing"
    • Consider turning on "Automatic User Deprovisioning" once you have verified the sync, and verified that all current Dashlane users are in scope of the sync
  4. Click Copy to copy Dashlane AD script displayed in the gray window to copy it to your clipboard

Active_Directory_activate.png

Configuring Active Directory and Sync script

  1. Log in to a Windows Server or workstation that has Windows Powershell 3.0 or later with the Service Account we created earlier.
  2. If you have not done so already, create or identify an Active Directory Security Group that you would like to sync to Dashlane.
    • We recommend creating a new group called AllDashlaneUsers to start with
  3. Add users to the group you would like to have Dashlane accounts
  4. Open Powershell ISE > File > New
  5. Paste the script saved on your clipboard from Step 4 in the instructions above ("Configuring the Admin Console")
  6. Edit line 21 of the script, enter the group names you wish to sync to Dashlane
    mceclip2.png
  7. Save the Powershell Script to the local machine
  8. Run the Script by clicking the green arrow in Powershell ISE
    mceclip2.png
  9. Ensure the script returns "code":200,"message":"OK" 
  10. Copy the text string between the dashes to your clipboard
  11. Navigate back to http://console.dashlane.com and Refresh the page
  12. In the "Verify security key..." pop-up, click Continue
     Verify_security_key_for_AD.png
  13. Enter the text string from your clipboard you copied from step 10 into the text field and click Verify now
    Verify_script_for_AD.png

Verifying the Sync

  1. In the Admin Console view the Users tab and validate that any new users have an Invite pending status

    invite_pending_1.png
  2. On the Groups tab view the groups that have synced
  3. You can view your AD sync status in the Admin Console in Settings > Active Directory
  4. It is recommended to turn on Automatic Deprovisioning once you have confirmed that all synced users are included in the Active Directory sync groups.

Scheduling regular Sync with Task Scheduler

With the script saved to your domain, you can schedule it to run automatically at an interval you define.

Note that the user account set to run this task must be able to read Organizational Units (OU's) and user accounts in your Active Directory environment.

  1. Ensure you are logged in under the same service account you used to run the initial sync.
    • Scheduling this to run with a different account will not work, as the sync key generated is derived from the machine and user used for the sync, and needs to remain the same.
  2. Open Task Scheduler on a Windows Server that will run the script
  3. Select Task Scheduler Library
  4. Click the Action tab in the top left menu
  5. Then click “Create Task
  6. Next click the General tab
  7. Type Dashlane AD Sync in the "Name:" text box
  8. Next select Security Options
  9. Within Security Options: Check the boxes for "Run whether user is logged in or not" and "Run with highest privileges"

Please set a schedule for the script to run by creating a new trigger. In the example shown below, it will run daily at 1:00 a.m.

en.png

Then, click the Actions tab.

  1. Click New Action
  2. Under "Program/script," type in powershell
  3. Under "Add arguments (optional)", paste -file C:\FilePathtoPowershellScript\dashlane-ad-sync.ps1

    AD-editAction.png

Some considerations

  • Once sync is configured, we recommend managing your Dashlane groups and users exclusively via your Active Directory.
  • All users considered by the script must have a specified email address in Active Directory
  • Admins cannot deprovision all admin users, as there must be at least one active admin for every business plan.
  • Admins also cannot deprovision billing admins, as there must be at least one active billing admin for every business plan
  • The number of users in the synced groups must not be higher than the available seats in your account.

Users only sync

To sync only the members of the AD group and not create a Dashlane sharing group, edit line 124 and 125 of the AD sync script.

Before Change: line 124 and 125

$DataStr += $GroupInfo.ObjectGUID
$DataStr += $GroupInfo.Name

After Change: line 124 and 125

$DataStr += $GroupInfo.Sync_Users_Only
$DataStr += $GroupInfo.Sync_Users_Only

 

Error messages

Error Message

Dashlane sync responded with: {"code":400,"message":"Bad Request"}

Solution

1. Ensure you are not attempting to sync more users than you have purchased seats.

2. Ensure the Active Directory Module for Windows PowerShell is installed.
mceclip0.png

 

3. Ensure you have configured https security settings or have opened Internet Explorer and gone through the first-run configuration wizard.

4. Ensure at least one user with an e-mail address is in the Active Directory group you are attempting to sync.

 

No Directory sync key is showing up.

In your PowerShell script, change the DashlaneDirectorSyncKey## variable to a new number to force a new sync key. Save and run the script.

Before Change: line 104 (may be a few numbers off depending on how many groups you have)

 $CspParameters.KeyContainerName = "DashlaneDirectorySyncKey53"

After Change: line 104

 $CspParameters.KeyContainerName = "DashlaneDirectorySyncKey54"

 

Error Message

Dashlane sync responded with: {"code":403,"message":"Forbidden"}

Solution

Enable 'automatic user and group provisioning' in Dashlane admin console from the Active Directory tab.

 

Error Message

Error member_removal_over_limit

mceclip0.png

The AD sync script has a built-in limit that prevents accidental mass user offboarding. On occasion, mass user offboarding is necessary so you will need to increase the limit of users that can be offboarded from your plan.

Solution

add a ";removalLimit=###"  to the end of the following line,  (around line 155) of the powershell sync script.  Run the sync script again. After your users are offboarded via the sync, consider removing the added text to set it back to the default setting, which is 10 users or 5% of all users, whichever is greater.

In the example below, I will be able to offboard 100 users with the sync script.

$Payload = @{adLogins=$FileContentEncoded;adToken=$INSTALL_TOKEN;teamId=$TEAM_ID;signature=$SignatureHash;publicKey=$PublicKeyHash;removalLimit=100}

Was this article helpful?
6 out of 24 found this helpful
Return to top

Related articles

Can't find what you're looking for?

Contact us
Powered by Zendesk