Active Directory domain integration

One of the most common issues when dealing with multiple Active Directory domains is handling different sets of passwords. Be it for domain migrations or maintaining separate domains for desktop login and Exchange mailbox access, users have to handle different passwords for each domain. This complicates user password management and results in an increase in the number of password-related tickets, eventually affecting overall productivity.

Managing users' passwords in a large environment is tedious. Add to that the task of managing password changes across multiple domains, and it becomes even more challenging for administrators. The solution lies in synchronizing password changes across multiple domains.

Password synchronization between Active Directory domains

ADSelfService Plus' Password Synchronization feature replicates changes made to a domain user's password to their user accounts in other Active Directory domains and even in enterprise applications like Google Workspace (formerly G Suite) and Office 365. ADSelfService Plus' Password Sync Agent goes a step further and synchronizes the native password changes made through the Ctrl+Alt+Del screen and password resets made by administrators using the Active Directory Users and Computers console.

How do you configure password synchronization using ADSelfService Plus?

1. Log in to the ADSelfService Plus admin console with admin credentials.
2. Navigate to Application → Add New Application.
3. Select the Active Directory application.
Note: You can also find the Active Directory application that you need from the search bar located in the left pane or by selecting the first letter of the application in the right pane.



4. Enter the Application Name and Description.
5. Select the Domain Name to which the passwords are to be synced. For example, if you want to sync passwords from Domain A to Domain B, then select Domain B in the Domain Name field and select a self-service policy associated with Domain A in the Associate Policies drop-down.
6. Select the appropriate policies from the Assign Policies drop-down. Password Synchronization will be possible for only those users who fall under the selected self-service policies.
7. Click Add Application.
Note: You can create multiple OU- and group-based policies in ADSelfService Plus that define the self-service features accessible to different users.



8. Click Save.

User account linking

Linking user accounts between domains is essential for password synchronization to work. By default, user accounts will be automatically linked based on the sAMAccountName AD attribute. ADSelfService Plus also allows you to link user accounts based on any attribute of your choice.

1. Automatic account linking
2. Manual account linking

How to link accounts automatically

To link accounts automatically, you have to specify a source attribute, which is composed of one or more attributes in AD, and a target attribute from the enterprise application. When a user resets or changes a password, the modification is synchronized only when the target attribute value matches the source attribute value.

Steps to link users' accounts automatically:

1. Log in to the ADSelfService Plus web console as an administrator.
2. Navigate to the Application tab. The list of configured applications will be displayed.
3. Click the Advanced button for the required application configuration.



4. In the window that opens, select the Enable Auto Account Linking checkbox.
5. In the Source Attributes drop-down, select one or more attributes from the AD domain where the users' passwords will be reset or changed.
Note: Say you want to use both sAMAccountName and initials as source AD attributes. You select sAMAccountName from the Source Attributes, click the + button next to the field, and select initials from the second drop-down that appears. Make sure that the combined value of the AD source attribute matches the corresponding target attribute in the enterprise application. For example, if a user account's samAccountName value is “John” and their initial value is “A”, then their target attribute value should be “JohnA”.
6. Under the Target Attribute drop-down, select the attribute whose value will equal the combined value of the selected source attributes. The attribute value should be unique to a user; if multiple domain accounts share the same attribute value, the sync will fail.



7. Select the Append Domain checkbox to add the domain's name at the end of the combined value of the selected source attributes. That is, if the checkbox is selected, sAMAccountName+Initials becomes sAMAccountName+Initials@domain.
8. Click Save.

Note:

• If the value of the source attributes is empty, then sAMAccountName will be taken as the default value.
• If the value of the source attributes is in an email format, then the domain name will not be appended even if that option is enabled.

How to link accounts manually

If manual linking is enabled, users can link their AD domain accounts themselves by entering the credentials of the domain account with which they want to link their primary domain account. For example, if they want to sync passwords from their user account in Domain A to their account in Domain B, they need to:

1. Log in to the ADSelfService Plus user portal.
2. Go to Application.
3. Click on the enterprise application with which they want to link their AD account.
4. Provide their credentials for that user account.
5. Provide the username and password of their account in Domain B to link both accounts.

Steps to enable manual account linking:

1. Log in to ADSelfService Plus as an administrator.
2. Navigate to the Application tab. The list of configured applications will be displayed.
3. Click the Advanced button for the required application configuration.



4. In the window that opens, deselect the Enable Auto Account Linking checkbox.



5. Click Save.

License consumption

Once the user accounts between the two domains are successfully linked, when a user accesses ADSelfService Plus for the first time, only their user account in the domain that initiates the password synchronization will consume an ADSelfService Plus license. Their linked user account in the other domain to which the passwords are synchronized will not consume a license. For example, consider Domain A with 1,000 user accounts that are linked to 1,000 user accounts in Domain B for password synchronization. When users from Domain A reset or change their passwords and the new passwords are synchronized with Domain B, only the user accounts in Domain A will consume a license. Domain B accounts will not consume any licenses.

Note: If a user performs self-service actions using both their accounts in Domain A and Domain B, then licenses will be consumed for both accounts.

Benefits

• Maintain one identity across multiple Active Directory domains and enterprise applications.
• Deploy multi-factor authentication techniques to secure password changes.
• Reduce a major source of help desk calls, and free up IT administrators to focus on other important tasks.
• Get real-time password change notifications via SMS or email.
• Enable users to manage domain passwords at any time, from anywhere, with the ADSelfService Plus mobile app.