Active Directory (On-Premises)
Last updated
Was this helpful?
Last updated
Was this helpful?
The integration of Active Directory (On-Premises) with Hideez Enterprise Server allows organizations to automatically synchronize users from their corporate Active Directory environment. This integration supports centralized user management, automated domain password updates, and enables passwordless authentication scenarios using Hideez Keys and the Hideez Authenticator mobile application.
Centralized User Management: Synchronize users directly from Active Directory groups to Hideez Enterprise Server.
Passwordless Authentication Enablement: Facilitate passwordless login to Windows domains. Users can unlock their workstations and log into Remote Desktop Protocol sessions without passwords by using either the Hideez Key or the Hideez Authenticator mobile application.
Support for Multiple Domains: Manage users from multiple Active Directory domains within a single Hideez Enterprise Server instance.
Flexible User Management Policies: Define whether to keep, deactivate, or delete users removed from Active Directory groups.
Scheduled Synchronization: Perform automatic synchronization with Active Directory every hour to ensure user data remains current.
Access to a working Active Directory (On-Premises) environment.
An Active Directory account with the following requirements:
To read users and group memberships, a regular user account is sufficient.
To change user passwords, the account must have permission to reset passwords and must be a member of the Account Operators group or the Domain Admins group.
Creation of two specific groups in Active Directory:
A Hideez Users Sync (for user synchronization with Hideez Enterprise Server).
A Security Key Auto Password Change (optional, for enabling automatic password changes).
A secure Lightweight Directory Access Protocol over SSL (LDAPS) connection must be configured between Hideez Enterprise Server and Active Directory, with port 636 open for communication.
Navigate to Settings → Parameters → Add Domain Settings in Hideez Enterprise Server.
Complete the following fields:
Active Directory Domain Name: Provide the fully qualified domain name.
User Logon Name: Specify the username of the account that will be used to connect to Active Directory. This can be either:
a regular user account (if synchronization is only needed to add selected users), or
an Active Directory administrator account (if password management features, such as automatic password change, are required).
Password: Enter the password corresponding to the selected Active Directory account.
Users Sync Group Name: Provide the name of the Active Directory group for user synchronization (for example, Hideez Users Sync
).
Users Auto Password Change Group Name (optional): Provide the name of the Active Directory group for automatic password updates (for example, Security Key Auto Password Change
).
Auto Password Change Interval (days): Specify the number of days after which user passwords should automatically change (applies only to users in the automatic password change group).
When a user is removed from the Active Directory synchronization group, Hideez Enterprise Server can handle the user's status based on the selected policy:
Keep: Users remain active in Hideez Enterprise Server even after being removed from the Active Directory group.
Deactivate: Users are deactivated but not deleted from Hideez Enterprise Server. Their accounts remain available for reactivation if needed.
Delete: Users are completely removed from Hideez Enterprise Server after removal from the Active Directory synchronization group.
In cases where you do not need to import users from Active Directory, but you need to configure passwordless authentication for workstations joined to the Active Directory (On-Premises) domain, you can enable the Disable Domain Synchronization option in Hideez Enterprise Server.
This setting allows you to:
Configure passwordless workstation login using the Hideez Authenticator mobile application without importing user accounts from Active Directory.
Manage authentication policies for domain-joined devices independently from user synchronization.