Maximum comfort

In contrast to end-to-end mode, which places the main focus on security, Master Key mode provides the maximum level of convenience. It imports not only users, organisational units and roles, but also their links and assignments. It can be synchronized to update the information and assignments. In this scenario, Active Directory is used as a leading system.

Creating profiles

Profile management is started via the icon of the same name on the ribbon.

The following information must be provided in the profile:

  • Profile name
  • An optional description
  • Master Key mode is selected for the encryption
  • The domain field is used to define which domain is to be read. The value entered here will also be used for authentication if no alternative spellings have been saved under Other domain names.
  • A local user (for example, the administrator) or an already imported user must be specified. The data will be imported under that user’s name.
  • A user is required to access AD. User should be formatted as follows: Domain\User. It must have access to the AD.
  • Corresponding user password (domain password) of the user
  • The connection can be established using SSL if required by AD
  • Direct search is recommended for very large domain trees. The tree structure is omitted, elements can then only be found and selected via the search.
  • The filter can be used to directly specify an AD path as an entry point via an LDAP query.
  • The option Other domain names can be used to save alternative spellings of the login domain. These must correspond to the spelling entered in the login window. For example, if a connection is being established to the domain jupiter.local or an IP address, the login can only be carried out with jupiter\user if jupiter has been saved here.


You can start the import directly in the ribbon. A wizard guides the user through the entire operation.

Organisational structure

First, an organisational unit is selected for data import. If there are no organisational units in the database yet, as in this example, the data is imported into the main organisational unit.

Active Directory objects

In the next step, select the profile you will use to import the data. Then, select organisational units and/or users for import. A search is available for this purpose.

As you can see, the organisational units Jupiter and Contoso contain items to be imported. The organisational units themselves will not be imported. The group 1099 Contractor is imported including all sub-elements. The check next to the group Accounting indicates that the group itself will be imported along with a part of its sub-items. The hooks in the last column ensure that the elements are observed in future synchronization sequences.

There are different symbols which indicate the items to be imported.

The element itself and all possible sub-elements will be imported
The item itself will be imported, with some of its sub-items
The item will not be imported; however, it contains items that will be imported

Right-clicking in the list will launch a context menu. It provides helpful functions for the selection of the individual items.

There are different symbols which indicate the items to be imported.

The element itself and all possible sub-elements will be imported
The item itself will be imported, with some of its sub-items
The item will not be imported; however, it contains items that will be imported


The last page lists objects to be edited, and gives information on the editing mode. It specifies the names of the items along with their descriptions. The Status column specifies whether the object is added, updated, or disabled. The last column specifies the organisational unit into which the item is imported. The number of objects can be seen at the bottom.


The server imports data in the background. The individual items then appear in the list one by one. This may take some time, depending on the amount of import data. If the import was terminated, this is symbolized by a hint.

Imported users and organisational units

The users and organisational units imported in Master Key mode cannot be edited in Password Safe. Any changes must therefore be made in AD and synchronized. Thus the AD becomes the leading system. Affiliations in organisational units or roles are also synchronized and must be set in AD. In organisational units or roles created in Password Safe, the users can be included directly in Password Safe.

Login to Password Safe

Users who are imported using this mode can log in with the domain password. Please note that no domain needs to be specified when logging in. Of course, the log-in can also be supplemented with multifactor authentication.


During synchronization, all relevant information for users, organisational units and roles (names, e-mail, etc.) is updated. Changed affiliations for organisational units and roles are adjusted. Likewise, users are activated or deactivated according to the settings in the AD. New users and correspondingly defined roles are imported.

Manual synchronization

The synchronization can be started manually at any time via the corresponding button in the ribbon.

Select the required profile and start the synchronization. Like the initial import, the synchronization runs in the background. A hint indicates that the process has been completed.

Synchronization via system tasks

The synchronization can also be carried out automatically. This is made possible via the system tasks.

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.