As an admin of a Dashlane professional plan, you can configure Dashlane to automatically sync Active Directory (AD) users and groups for automated provisioning and deprovisioning of Dashlane accounts.
Manage the provisioning of plan members with SCIM
Video walkthrough
This video provides a detailed walkthrough of configuring Dashlane to automatically sync Active Directory (AD) users and groups for automated provisioning and deprovisioning of Dashlane accounts.
Create an AD group and service account
- Log in to a Windows Server with the Active Directory Users and Computers module.
- Create or identify a group whose members you would like to invite to your plan. If no group exists, we recommend creating an "AllDashlaneUsers" group.
- Add at least one AD user with an email address to the group.
- Create an Active Directory user that you will use to run the sync script, commonly referred to as a service account. In the example video, we create the "SA_DashlaneSync" service account.
- Add the service account to the local admins group so it can log in to the machine and run PowerShell scripts.
- Log in as the newly created service account.
Configure the Admin Console
To configure your account for AD synchronization:
- Log in to the Admin Console.
- Select Integrations, Provisioning, and then Set up for Active directory.
- Turn on Automatic user provisioning and group syncing.
- Once you have verified the sync and that all current Dashlane members are in the scope of the sync, consider turning on Automatic user deprovisioning.
- Select Copy to copy the Dashlane AD script displayed in the gray window to your clipboard.
Configure Active Directory and the sync script
- Log in to a Windows Server or workstation with Windows PowerShell 3.0 or later with the service account we created earlier.
- If you have not done so already, create or identify an Active Directory Security Group that you would like to sync to Dashlane.
- We recommend creating a new group called AllDashlaneUsers to start.
- Add users to the group you would like to have Dashlane accounts.
- Open PowerShell ISE and select File and then New.
- Paste the script saved on your clipboard from Step 4 in Configuring the Admin Console.
-
Edit line 21 of the script and enter the group names you want to sync to Dashlane.
- Save the PowerShell Script to the local machine.
-
Run the Script by selecting the green arrow in PowerShell ISE.
- Ensure the script returns the following: "code":200,"message":"OK"
- Copy the text string between the dashes to your clipboard.
- Navigate back to the Admin Console and Refresh the page.
- In the Verify security key pop-up, select Continue.
- Enter the text string from your clipboard you copied from step 10 into the text field, and select Verify now.
Verify the sync
- In the Admin Console, view the Users tab and validate that any new plan members have an Invite pending status.
- On the Groups tab, view the groups that have synced.
- To view your AD sync status in the Admin Console, select Integrations and then Provisioning. Then select Set up for Active Directory.
- After confirming that all synced members are included in the Active Directory sync groups, we recommend turning on Automatic user deprovisioning.
Schedule a regular sync with Task Scheduler
With the script saved to your domain, you can schedule it to run automatically at an interval you define.
Note: The plan member account set to run this task must be able to read Organizational Units (OU's) and member accounts in your Active Directory environment.
- Ensure you are logged in under the same service account you used to run the initial sync.
- Scheduling this to run with a different account won't work because the sync key generated is derived from the machine and member used for the sync and needs to remain the same.
- On the Windows Server that will run the script, open Task Scheduler.
- Select Task Scheduler Library.
- Select the Action tab in the top left menu.
- Select Create Task.
- Select the General tab.
- In the Name text box, type Dashlane AD Sync.
- Select Security Options.
- Within Security Options, select the checkboxes for Run whether user is logged in or not and Run with highest privileges.
Set a schedule for the script to run by creating a new trigger. In the following example, it will run daily at 1:00 a.m.
- Select the Actions tab.
- Select New Action.
- Under Program/script, type the following: powershell
- Under Add arguments (optional), paste the following:
-file C:\FilePathtoPowershellScript\dashlane-ad-sync.ps1
Some considerations
- Once you've configured sync, we recommend managing your Dashlane groups and plan members exclusively via your Active Directory.
- All members considered by the script must have a specified email address in Active Directory.
- Admins can't deprovision all admins because every plan must have at least one active admin.
- Every plan must have at least one active billing contact.
- The number of members in the synced groups must not be higher than the available seats in your account.
Users-only sync
To sync only the AD group members and not create a Dashlane sharing group, edit lines 124 and 125 of the AD sync script.
Example:
Before the change to line 124 and 125:
$DataStr += $GroupInfo.ObjectGUID
$DataStr += $GroupInfo.Name
After the change to line 124 and 125:
$DataStr += $GroupInfo.Sync_Users_Only
$DataStr += $GroupInfo.Sync_Users_Only
Error messages
Error Message 400
Dashlane sync responded with the following: {"code":400,"message":"Bad Request"}
To resolve the error:
- Ensure you aren't attempting to sync more members than you have purchased seats.
- Ensure the Active Directory Module for Windows PowerShell is installed.
- Ensure you have configured HTTPS security settings.
- Ensure at least one user with an email address is in the Active Directory group you are attempting to sync.
No Directory sync key is showing up
To resolve the error:
- In your PowerShell script, change the DashlaneDirectorSyncKey## variable to a new number to force a new sync key.
- Save and run the script.
Example:
Before the change to line 104 (might be a few numbers off depending on how many groups you have):
$CspParameters.KeyContainerName = "DashlaneDirectorySyncKey53"
After the change to line 104:
$CspParameters.KeyContainerName = "DashlaneDirectorySyncKey54"
Error Message 403
Dashlane sync responded with the following: {"code":403,"message":"Forbidden"}
To resolve the error:
- Log in to the Admin Console.
- Select Integrations and then Provisioning. Then select Set up for Active Directory.
- Enable automatic user and group provisioning.
Error Message Error member_removal_over_limit
The AD sync script has a built-in limit that prevents accidental mass user offboarding. On occasion, mass user offboarding is necessary, so you will need to increase the limit of users you can offboard from your plan.
To resolve the error:
- In your PowerShell script, add a ";removalLimit=###" to the end of the following line (around line 155) and manually run the script.
Example: This example offboards 100 users with the sync script.
Before the change around line 155:
After the change of the removal limit to 100 users, allowing the removal of up to 100 users:
$Payload = @{adLogins=$FileContentEncoded;adToken=$INSTALL_TOKEN;teamId=$TEAM_ID;signature=$SignatureHash;publicKey=$PublicKeyHash;removalLimit=100}
After your users are offboarded via the sync, consider removing the added text to set it back to the default setting, which is 10 users or 5% of all users, whichever is greater.
Error Message Dashlane Sync Error
Dashlane sync responded with the following: Dashlane Sync Error:System.NotSupporteDException - the response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer’s first-launch configuration is not complete. Specify the usebasicparsing parameter and try again.
To resolve the error:
- Add the -usebasicparsing switch to the $response line in the Powershell script, around line 158.
- Save and run the script.