How to sync passwords between Active Directory domains

One of the most common issues when dealing with multiple Active Directory domains is handling different sets of passwords. Whether it's for domain migrations or maintaining separate domains for desktop login and Exchange mailbox access, users are burdened with managing each domain's unique password. This complicates user password management and results in an increase in the number of password-related tickets, eventually affecting overall productivity. To solve this challenge, admins can synchronize user password changes across multiple domains.

Enabling password sync between Active Directory domains using ADSelfService Plus

ADSelfService Plus' password synchronization feature replicates changes made to a domain user's password to their user accounts in other Active Directory domains and even in enterprise applications like Google Workspace and Microsoft 365. ADSelfService Plus' Password Sync Agent goes a step further, synchronizing the native password changes made through the Ctrl+Alt+Del screen and password resets made by administrators using the Active Directory Users and Computers console. Follow the steps below to configure password synchronization using ADSelfService Plus.

Step 1: Adding your Active Directory domain

1. Log in to the ADSelfService Plus admin portal.
2. Navigate to the Configuration tab > Self-Service > Password Sync/Single Sign On > Add Application.
3. Select Active Directory.

   Note: You can also find Active Directory using the search bar on the left pane or by selecting the first letter of the application in the right pane.

   

4. Enter the Application Name and Description.
5. Select the domain to which the passwords are to be synced. For example, if you want to sync passwords from Domain A to Domain B, then select Domain B in the Domain Name field.
6. Select the appropriate policies from the Assign Policies drop-down. Password synchronization will be possible for only those users who fall under the selected self-service policies.
7. Click Add Application.

   Note: You can create multiple OU- and group-based policies in ADSelfService Plus that define the self-service features accessible to different users.

   

8. Click Save.

Step 2: Linking your user accounts

Linking user accounts between domains is essential for Active Directory password synchronization to work. By default, user accounts will be automatically linked based on the sAMAccountName Active Directory attribute. ADSelfService Plus also allows you to link user accounts based on any attribute of your choice.

1. Automatic account linking
2. Manual account linking

How to link accounts automatically

To link accounts automatically, you have to specify a source attribute, which is composed of one or more attributes in AD, and a target attribute from the enterprise application. When a user resets or changes a password, the modification is synchronized only when the target attribute value matches the source attribute value.

Steps to link user accounts automatically:

1. Log in to the ADSelfService Plus admin portal.
2. Navigate to the Configuration tab > Self-Service > Password Sync/Single Sign On. The list of configured applications will be displayed.
3. Click the Advanced button for the required application configuration.



4. In the window that opens, select the Enable Auto Account Linking checkbox.
5. In the Source Attribute section, select one or more attributes from the Active Directory domain where the users' passwords will be reset or changed.

   Note: Say you want to use both sAMAccountName and initials as source Active Directory attributes. You select sAMAccountName from the Source Attribute section, click the plus button + next to the field, and select initials from the second drop-down that appears. Make sure that the combined value of the Active Directory source attribute matches the corresponding target attribute in the enterprise application. For example, if a user account's samAccountName value is John and their initial value is A, then their target attribute value should be JohnA.

6. In the Target Attribute section, select the attribute whose value will equal the combined value of the selected source attributes. The attribute value should be unique to a user; if multiple domain accounts share the same attribute value, the sync will fail.

   

7. Select the Append Domain checkbox to add the domain's name at the end of the combined value of the selected source attributes. That is, if the checkbox is selected, sAMAccountName+Initials becomes sAMAccountName+Initials@domain.
8. Click Save.

Note:

• If the value of the source attributes is empty, then sAMAccountName will be taken as the default value.
• If the value of the source attributes is in an email format, then the domain name will not be appended even if that option is enabled.

How to link accounts manually

If manual linking is enabled, users can link their Active Directory domain accounts themselves by entering the credentials of the domain account with which they want to link their primary domain account. For example, if they want to sync passwords from their user account in Domain A to their account in Domain B, they need to:

1. Log in to the ADSelfService Plus user portal.
2. Go to the Application tab.
3. Click the enterprise application with which they want to link their Active Directory account.
4. Provide their credentials for that user account.
5. Provide the username and password of their account in Domain B to link both accounts.

Steps to enable manual account linking:

1. Log in to ADSelfService Plus admin portal.
2. Navigate to the Configuration tab > Self-Service > Password Sync/Single Sign On. The list of configured applications will be displayed.
3. Click the Advanced button for the required application configuration.

   

4. In the window that opens, deselect the Enable Auto Account Linking checkbox.



5. Click Save.

License consumption

Once the user accounts between the two domains are successfully linked, when a user accesses ADSelfService Plus for the first time, only their user account in the domain that initiates the password synchronization will consume an ADSelfService Plus license. Their linked user account in the other domain to which the passwords are synchronized will not consume a license. For example, consider Domain A with 1,000 user accounts that are linked to 1,000 user accounts in Domain B for password synchronization. When users from Domain A reset or change their passwords, and the new passwords are synchronized with Domain B, only the user accounts in Domain A will consume a license. Domain B accounts will not consume any licenses.

Note: If a user performs self-service actions using both their accounts in Domain A and Domain B, then licenses will be consumed for both accounts.

Benefits of synchronizing passwords

• Centralize management: Maintain one identity across multiple Active Directory domains and enterprise applications.
• Enforce MFA: Deploy MFA techniques to secure password changes.
• Minimize interruptions: Reduce a major source of help desk calls and free up IT administrators to focus on other important tasks.
• Instant alerts: Get real-time password change notifications via SMS or email.
• Manage on the move: Enable users to manage domain passwords at any time, from anywhere, with the ADSelfService Plus mobile app.