The Active Directory profile with active end-to-end encryption currently offers maximum security. Only users, organisational units and roles are imported. The permissions and the hierarchical relationship between the individual objects needs to be separately configured in Password Safe. The advantage offered by end-to-end encryption is that Active Directory is “defused” as a possible insecure gateway. In Master Key mode, users who control Active Directory receive de facto complete access to all passwords because resetting a Windows user name enables users to log in under another person’s name. The Active Directory is thus the leading system. *Using an active E2EE connection, users require their own password for Password Safe. There is thus no access to users’ data via Active Directory.
- A user is required to access AD. User should be formatted as follows: . It must have access to AD.
- The relevant user password (domain password) is required for the above-mentioned user
- The connection can be established using SSL if required by AD
- Direct search is recommended for very large domain trees. The representation of the tree structure is omitted, elements can only be found and selected via the search.
- The filter can be used to directly specify an AD path as an entry point via an LDAP query
The import is started directly in the ribbon. A wizard guides the user through the entire operation.
First, an organisational unit is selected for data import. If there are no organisational units in the database yet, as in this example, the data is imported into the main organisational unit.
Active Directory objects
In the next step, select the relevant profile that should be used for the import. Then, select organisational units and/or users for import. A search is available for this purpose.
It can be seen that the organisational units Jupiter and Contoso contain items to be imported. The organisational units themselves will not be imported. The check next to the group Accounting indicates that the group itself will be imported along with a part of its sub-items.
There are different symbols which indicate the items to be imported.
The element itself and all possible sub-elements will be imported
The item itself will be imported, with some of its sub-items
The item will not be imported; however, it contains items that will be imported
A context menu that is accessed using the right mouse button is available within the list that provides helpful functions for selecting the individual elements.
- Select sub-objects selects all sub-objects that are located directly below the current object
- Deselect sub-objects removes tags from all sub-objects, which are located directly below the current object
- Reset all items removes all previously set tags
- Display Item Details lists all information that is available for the current item
The last page lists objects to be edited, and gives information on the editing mode. It specifies the names of the items along with their descriptions. The Status column specifies whether the object is added, updated, or disabled. The last column specifies the organisational unit into which the item is imported. The number of objects is added together at the bottom.
The import itself is carried out by the server in the background. The individual items then appear in the list one by one. This may take some time, depending on the amount of import data. If the import is terminated, you get a confirmation.
Imported users and organisational units
In the end-to-end mode, the imported users behave like local users. The users can/must be edited manually in Password Safe. The affiliations for organisational units and/or roles must be adapted manually.
Login to Password Safe
Users that are imported in this mode cannot log in with the domain password. Instead, the user name is stored as a password when importing. This can be changed by administrators or users at the first login.