# Import and Sync Users from Active Directory (On-Premises)

## Overview

Hideez Enterprise Server integrates with Active Directory (On-Premises) to support centralized user import, synchronization, and optional password rotation.

Hideez Enterprise Server also supports multi-domain environments. Users can be synchronized from multiple Active Directory (On-Premises) domains and are matched by their email addresses. If two or more users from different domains share the same email, they will be merged into a single profile in Hideez Enterprise Server.

## Integration Scenarios

Hideez Enterprise Server supports two scenarios for integrating and managing users from Active Directory (On-Premises):

## Scenario 1: Importing Users Only (Without Password Change)

#### **Overview:**

* Users are synchronized based on membership in the **Hideez Users Sync** group.
* Domain passwords are not changed or updated.
* Assigning Hideez Keys is not required.
* You can optionally configure passwordless PC authentication via the **Hideez Authenticator mobile application**.

#### Prerequisites:

Before syncing users from Active Directory, ensure the following conditions are met:

1. You are logged in as a user with administrator rights in Hideez Enterprise Server.
2. [Integration with Active Directory is properly configured in Hideez Enterprise Server.](https://enterprise.hideez.com/hideez-server-integration/active-directory-on-premises)
3. Target users are added to the designated Active Directory group:
   * Hideez Users Sync – required for any synchronization.
4. Enable Single Sign-On must be enabled during Active Directory setup if you plan to use the Hideez Authenticator mobile app for passwordless workstation login.
5. [The workstation is joined to the Active Directory domain.](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domain)
6. [The Hideez Client is installed on the user’s workstation.](https://enterprise.hideez.com/hideez-client-app/windows-deployment/set-up-hideez-client-app)
7. [The workstation is approved in the Hideez Enterprise Server (see the *Workstations* section).](https://enterprise.hideez.com/hideez-enterprise-server/workstations/how-to-add-and-approve-workstations)

#### **Steps:**

1. In Hideez Enterprise Server, navigate to **Employees → Sync with Active Directory** and click **Sync Now**.

<figure><img src="https://1669663611-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRdTysrljwe610dPFG7tE%2Fuploads%2FjCBuYXdGngJ5k3GlWYux%2Fimage.png?alt=media&#x26;token=f28b2639-0746-43e5-a26a-b8dada7f1dfc" alt=""><figcaption></figcaption></figure>

2. Imported users will appear in the employee list, marked as synchronized from Active Directory.

<figure><img src="https://1669663611-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRdTysrljwe610dPFG7tE%2Fuploads%2FU0jfoSkiIP2FKF6462kI%2Fimage.png?alt=media&#x26;token=39666003-752a-4e9c-ba3b-bcdf1ab3e869" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
**Note:** If you encounter the error "Unavailable Critical Extension" during synchronization or password update, please follow our troubleshooting guide to enable [Virtual List View in Active Directory](https://enterprise.hideez.com/hideez-enterprise-server/deployment/hes-deployment/troubleshooting#enabling-virtual-list-view).
{% endhint %}

**Use Case: Passwordless Login with Hideez Authenticator**

When a user is imported into Hideez Enterprise Server from Active Directory, they receive an invitation email.

* Upon accessing the server, the user selects an SSO method and chooses the **Hideez Authenticator mobile app**.
* After installing the app, they scan a **QR code**, which registers the application on the server.
* [After registration, the user can create a credential to unlock their Windows workstation using the app.](https://enterprise.hideez.com/hideez-authenticator-app/user-guide/software-key-enrollment/pc-authorization-enrollment)

## Scenario 2: Importing Users with Automatic Password Change

#### **Overview:**&#x20;

This scenario enables you to import users from Active Directory and enforce automatic domain password changes using Hideez Keys.

* Each imported user is assigned a new, strong, randomly generated password.
* The password is updated both in Active Directory and securely stored on the user’s Hideez Key.
* This workflow requires Hideez Keys.
* Future password rotations are handled automatically based on a configured schedule.

#### Prerequisites

Before syncing users from Active Directory, ensure the following conditions are met:

1. You are logged in as a user with administrator rights in Hideez Enterprise Server.
2. [Integration with Active Directory is properly configured in Hideez Enterprise Server.](https://enterprise.hideez.com/hideez-server-integration/active-directory-on-premises)
3. Users are added to:
   * **Hideez Users Sync** group (for user import)
   * **Security Key Auto Password Change** group (for automatic password management)
4. The user must have a Hideez Key with one of the following statuses: [`"Ready"`](https://enterprise.hideez.com/hideez-enterprise-server/keys-management/keys-statuses#ready), [`"Active"`](https://enterprise.hideez.com/hideez-enterprise-server/keys-management/keys-statuses#active), or [`"Reserved"`](https://enterprise.hideez.com/hideez-enterprise-server/keys-management/keys-statuses#reserved).
5. [The workstation is joined to the Active Directory domain.](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domain)
6. [The Hideez Client is installed on the user’s workstation.](https://enterprise.hideez.com/hideez-client-app/windows-deployment/set-up-hideez-client-app)
7. [The workstation is approved in the Hideez Enterprise Server (see the *Workstations* section).](https://enterprise.hideez.com/hideez-enterprise-server/workstations/how-to-add-and-approve-workstations)

#### **Steps:**

1. In Hideez Enterprise Server, navigate to **Employees → Sync with Active Directory** and click **Sync Now**.

<figure><img src="https://1669663611-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRdTysrljwe610dPFG7tE%2Fuploads%2F5WXL4HEEaqjfc00TcMZT%2Fimage.png?alt=media&#x26;token=1f792fed-25c9-498b-89af-aba21f3230e3" alt=""><figcaption></figcaption></figure>

2. Imported users will appear in the employee list, marked as synchronized from Active Directory and associated with a domain account.

<div><figure><img src="https://1669663611-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRdTysrljwe610dPFG7tE%2Fuploads%2FCnzMBRD4UbmS2BoUQc2q%2Fimage.png?alt=media&#x26;token=c9fe4429-b12e-458c-b0af-002fd3d51461" alt=""><figcaption></figcaption></figure> <figure><img src="https://1669663611-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRdTysrljwe610dPFG7tE%2Fuploads%2FYUQjiCEw4fC4NSHkY8bW%2Fimage.png?alt=media&#x26;token=c7cd51be-e55f-44bf-9177-c574a98056f3" alt=""><figcaption></figcaption></figure></div>

3. Assign a Hideez Key to each user and provide the user with an activation code.
4. The user has to activate the Hideez Key on the workstation.

**Use Case: First Login with a Hideez Key**

After the key is assigned and the user receives their activation code:

1. The user pairs or taps the Hideez Key to the workstation.
2. The user enters the activation code when prompted.
3. Hideez Enterprise Server generates a new domain password.
4. The password is securely written to the key and updated in Active Directory.
5. The user must activate the Hideez Key on their workstation using the activation code.

{% hint style="warning" %}
**Important:** Without successful activation of the Hideez Key, users will continue using their old domain password.
{% endhint %}

{% hint style="info" %}
**Note:** After the password is updated, neither the user nor the administrator can view or retrieve it.
{% endhint %}

## Optional Features for Password Management

In addition to the automatic password update workflow, Hideez also supports optional manual and user-initiated password management features:

#### [**1. Administrator-Initiated Manual Password Changes**](https://enterprise.hideez.com/hideez-server-integration/active-directory-on-premises/import-and-sync-users-from-active-directory-on-premises/administrator-initiated-manual-password-changes)

This scenario describes how an administrator can manually set or generate a new password for a domain user using the Hideez Enterprise Server interface.

#### [**2. User-Initiated Password Changes**](https://enterprise.hideez.com/hideez-server-integration/active-directory-on-premises/import-and-sync-users-from-active-directory-on-premises/user-initiated-password-changes)

This scenario describes how a domain user can change their own Active Directory password via the Hideez Client using a Hideez Key.

The user has two options:

* Change the password only on the Hideez Key (the domain password remains unchanged).
* Change the password in both Active Directory and the Hideez Key simultaneously.