product icon

Active Directory Connector FAQs

    The LastPass Active Directory Connector Client is a windows service that is run locally and can be downloaded from the Admin Dashboard. It connects to your Active Directory to support a variety of provisioning and management processes in LastPass.

    Where can I learn about your directory integrations?

    For more information, please see Use Directory Integrations for Automated Provisioning.

    Do I need a designated admin account to use Active Directory Sync?

    There is no need for such an account. You only need to enter your credentials on LastPass Active Directory Sync Configuration window to authenticate your right as an admin to modify the configuration. The actual syncing authentication takes place using a token that is handled separately. It is not bound to the account you used to setup the configuration in any way.

    If I add a new user to my Active Directory, how will that update in LastPass, and how often does it check for changes?

    Once started, the Active Directory Connector will register itself with your Active Directory server. When a change occurs (e.g., when a user is added, updated, or deleted), then the sync client will immediately check again for changes.

    If I had previous users that were not added via Active Directory, what happens to those users?

    Any previous users that were added (manually or via another provisioning tool), will be cross-checked with what is listed in Active Directory. If the user is not listed in Active Directory, the sync client will ignore the existing users. If the user is listed and there are any changes (e.g., disabled), the client will update the account in LastPass with the changes it finds in Active Directory.

    Can I sync manually, automatically, or both?

    Both. To automatically sync, leave the Active Directory Connector running and it will detect changes and sync when needed. To manually sync changes, start the Active Directory Connector on an as-needed basis.

    I have thousands of names in my Active Directory, will it time out while sending to LastPass?

    The Active Directory Connector has been successfully tested with Active Directory servers having more than 10,000 users.

    If I have admin accounts built into our Active Directory, how do I make sure that they don’t import into LastPass?

    You can control which users are imported in either of the following ways:

    • By configuring a sync filter within the Active Directory Connector to include only certain groups.
    • By configuring the Active Directory Connector to add users as "pending" then later having an admin manually approve users from within the Admin Console.

    How do I keep the name of the group from my Active Directory in line with the LastPass groups?

    Click Sync from the left menu on the Active Directory Connector, then enable the "Sync all group memberships" option.

    Active Directory provisioning didn’t work, what do I do?

    1. Find the debug log file (instructions under Debug in the Configuring the LastPass Active Directory Connector article).
    2. Create a support ticket for LastPass Support (by selecting Contact Support within this article).
    3. Once LastPass Support has responded, please attach the log file to your ticket for further investigation.

    Do groups sync and work with shared folders, or just policies?

    Yes, groups can be mapped to both shared folders and policies. If you add a user via automated provisioning and the user is assigned a group that has already been granted access to a shared folder, that user will not have access to the shared folder until another group member of the folder logs in to LastPass via the web browser extension. Upon this event, the sharing keys are exchanged between those 2 user accounts, which grants access to the new user. For this to occur automatically once the new user has been assigned to their group and synced, you must enable the ‘"Pre-Create Sharing Key" policy.

    Is any functionality of grouping lost when syncing them via Active Directory?

    No, the functionality is still available.

    Does Active Directory Connector run as a service?

    Yes. Once you set up and run the Active Directory Connector it will run as a persistent service. If you restart your computer, the Active Directory Connector will automatically restart once your computer has rebooted.

    What exactly is accessed and how is it transferred?

    Username, name, group membership, email address, and account status are transferred via SSL to LastPass.

    Will accounts created without Active Directory be affected by the Active Directory Connector?

    No, accounts created by other means will not be synced with the Active Directory Connector except for groups created by the Active Directory.

    The domain we log into is different than our email address. Will users be able to log into LastPass using their Active Directory credentials?

    No, LastPass accounts are created based only on the value stored as their email address in Active Directory.

    How do I set up Federated Login Services for LastPass Business using Active Directory?

    You can use your Active Directory Connector with Federated Login Services to create new users and provision existing users with LastPass Business accounts that allow them to authenticate using their Active Directory credentials. To provision federated users, you must select Automatically create user in LastPass when a user in Active Directory is detected in your "Actions" settings. For more information, please see Set Up Federated Login Using AD FS or Set Up Federated Login for LastPass using PingFederate for LastPass Business.

    Does Active Directory Connector allow syncing users and groups from different root OUs?

    Unfortunately, this feature is not supported currently.


    User OU:

    OU=ActiveUsers,DC=Example, DC=domain,DC=com



    Or viewed another way:


    Root Domain =

    Root Users OU = > ActiveUsers

    Root Group CN = > Groups > Security > LastPassUsers