product icon

Step #4: Install the LastPass Active Directory Connector in LastPass

    Install and configure the LastPass Active Directory Connector.

    Tip: Create a small control group of users in Active Directory to be used initially for the steps below.
    1. Install the LastPass Active Directory Connector (instructions here). If the LastPass AD Connector is already installed, you must restart the application before proceeding with changing the settings.
    2. Configure the LastPass Active Directory Connector by selecting Actions > When a user is detected in Active Directory > Automatically create user in LastPass (within your local non-production and live environments).
      Warning: This option must be selected in order for federated users to be created via AD FS.
      Additionally:
      • The AD user that is running the LastPass AD Connector must have "CONTROL ACCESS" permissions
      • Configure at least 1 group to be synced to LastPass – it is recommended to start with a small control group of a few users for testing
    3. Once all of the configurations are in place, select the Home tab in the left navigation of the LastPass AD Connector, then check the box for Enable sync to begin syncing.
    4. Log in and access the Admin Console at https://admin.lastpass.com/.
    5. Go to Users > Users to see your users populate as they are synced from your Active Directory.
    6. Go to Users in the left menu to see your users populate as they are synced from your Active Directory. Federated users are displayed with an asterisk (*) before their username (e.g., *john.doe@acme.com).
    7. Check in your Active Directory that the custom attribute (from Step #1 "Active Directory server environments" section) for at least 1 synced LastPass federated user is filled out by the Active Directory Connector and is displayed as a random string.
      • If the custom attribute is present in Active Directory = success – This confirms that the Active Directory Connector has write access for the custom attribute for all federated users – proceed to Step #5 to register your custom attribute.
      • If the custom attribute is empty in Active Directory = failure – This means the Active Directory Connector cannot write the custom attribute in Active Directory because the AD user running the LastPass Active Directory Connector does not have the "CONTROL ACCESS" permission assigned. Let's fix this!
      1. The AD user must stop the service and exit the LastPass Active Directory Connector application.
      2. Log in and access the Admin Console at https://admin.lastpass.com/.
      3. Go to Users > Users, then select all of your newly populated federated users.
      4. Click Delete users.
      1. In Active Directory, grant the "CONTROL ACCESS" permission to the user who will run the LastPass Active Directory Connector.
      2. The AD user can now relaunch the LastPass Active Directory Connector application and start the service.
      3. Check in your Active Directory once again if the custom attribute is present for one of the synced LastPass federated users.
    Parent article: Set up federated login for LastPass using AD FS
    Previous article: Step #3: Configure your LastPass Business federated login settings in LastPass
    Next article: Step #5: Register your custom attribute with LastPass