Dashlane can be configured to automatically sync Active Directory (AD) users and groups for automated provisioning and deprovisioning of Dashlane accounts.
If you would like your users to use SSO to sign in we recommend configuring that first. Get started here.
Content
Video walk-through
Create an AD Group & Service Account
- Login to a Windows Server that has the Active Directory Users and Computers module.
- Create or identify a group who's members you would like to invite to your business plan. If no group exists we recommend creating a group named 'AllDashlaneUsers'.
- Add at least one AD user with an e-mail address to the group.
- Create an Active Directory user that you will use to run the sync script, commonly referred to as a service account. In the example video we create "SA_DashlaneSync"
- Add the Service account to the local administrators group so it has the ability to login to the machine and run Powershell scripts.
- Login as the newly created service account.
Configuring the Admin Console
To configure your account for AD synchronization, follow the steps below:
- Log in to your Admin Console by going to http://console.dashlane.com
- Click Settings > Active Directory
- Select the option to enable "Automatic user provisioning and group syncing"
- Consider turning on "Automatic User Deprovisioning" once you have verified the sync, and verified that all current Dashlane users are in scope of the sync
- Click Copy to copy Dashlane AD script displayed in the gray window to copy it to your clipboard
Configuring Active Directory and Sync script
- Log in to a Windows Server or workstation that has Windows Powershell 3.0 or later with the Service Account we created earlier.
- If you have not done so already, create or identify an Active Directory Security Group that you would like to sync to Dashlane.
- We recommend creating a new group called AllDashlaneUsers to start with
- Add users to the group you would like to have Dashlane accounts
- Open Powershell ISE > File > New
- Paste the script saved on your clipboard from Step 4 in the instructions above ("Configuring the Admin Console")
- Edit line 21 of the script, enter the group names you wish to sync to Dashlane
- Save the Powershell Script to the local machine
- Run the Script by clicking the green arrow in Powershell ISE
- Ensure the script returns "code":200,"message":"OK"
- Copy the text string between the dashes to your clipboard
- Navigate back to http://console.dashlane.com and Refresh the page
- In the "Verify security key..." pop-up, click Continue
- Enter the text string from your clipboard you copied from step 10 into the text field and click Verify now
Verifying the Sync
- In the Admin Console view the Users tab and validate that any new users have an Invite pending status
- On the Groups tab view the groups that have synced
- You can view your AD sync status in the Admin Console in Settings > Active Directory
- It is recommended to turn on Automatic Deprovisioning once you have confirmed that all synced users are included in the Active Directory sync groups.
Scheduling regular Sync with Task Scheduler
With the script saved to your domain, you can schedule it to run automatically at an interval you define.
Note that the user account set to run this task must be able to read Organizational Units (OU's) and user accounts in your Active Directory environment.
- Open Task Scheduler on a Windows Server that will run the script
- Select Task Scheduler Library
- Click the Action tab in the top left menu
- Then click “Create Task”
- Next click the General tab
- Type Dashlane AD Sync in the "Name:" text box
- Next select Security Options
- Within Security Options: Check the boxes for "Run whether user is logged in or not" and "Run with highest privileges"
Please set a schedule for the script to run by creating a new trigger. In the example shown below, it will run daily at 1:00 a.m.
Then, click the Actions tab.
- Click New Action
- Under "Program/script," type in powershell
- Under "Add arguments (optional)", paste -file C:\FilePathtoPowershellScript\dashlane-ad-sync.ps1
Some considerations
- Once sync is configured, we recommend managing your Dashlane groups and users exclusively via your Active Directory.
- All users considered by the script must have a specified email address in Active Directory
- Admins cannot deprovision all admin users, as there must be at least one active admin for every business plan.
- Admins also cannot deprovision billing admins, as there must be at least one active billing admin for every business plan
- The number of users in the synced groups must not be higher than the available seats in your account.
Users only sync
To sync only the members of the AD group and not create a Dashlane sharing group, edit line 124 and 125 of the AD sync script.
Before Change: line 124 and 125
$DataStr += $GroupInfo.ObjectGUID
$DataStr += $GroupInfo.Name
After Change: line 124 and 125
$DataStr += $GroupInfo.Sync_Users_Only
$DataStr += $GroupInfo.Sync_Users_Only
Error messages
Message
Dashlane sync responded with: {"code":400,"message":"Bad Request"}
Solution
1. Ensure you are not attempting to sync more users than you have purchased seats.
2. Ensure the Active Directory Module for Windows PowerShell is installed.
3. Ensure you have configured https security settings or have opened Internet Explorer and gone through the first-run configuration wizard.
4. Ensure at least one user with an e-mail address is in the Active Directory group you are attempting to sync.
No Directory sync key is showing up.
In your PowerShell script, change the DashlaneDirectorSyncKey## variable to a new number to force a new sync key. Save and run the script.
Before Change: line 104 (may be a few numbers off depending on how many groups you have)
$CspParameters.KeyContainerName = "DashlaneDirectorySyncKey53"
After Change: line 104
$CspParameters.KeyContainerName = "DashlaneDirectorySyncKey54"