Import and Sync Users from Active Directory (On-Premises)

Overview

IPI Enterprise Server integrates with Active Directory (On-Premises) to support centralized user import, synchronization, and optional password rotation.

IPI Enterprise Server also supports multi-domain environments. Users can be synchronized from multiple Active Directory (On-Premises) domains and are matched by their email addresses. If two or more users from different domains share the same email, they will be merged into a single profile in IPI Enterprise Server.

Integration Scenarios

IPI Enterprise Server supports two scenarios for integrating and managing users from Active Directory (On-Premises):

Scenario 1: Importing Users Only (Without Password Change)

Overview:

  • Users are synchronized based on membership in the IPI Users Sync group.

  • Domain passwords are not changed or updated.

  • Assigning IPI Keys is not required.

  • You can optionally configure passwordless PC authentication via the IPI Authenticator mobile application.

Prerequisites:

Before syncing users from Active Directory, ensure the following conditions are met:

  1. You are logged in as a user with administrator rights in IPI Enterprise Server.

  2. Integration with Active Directory is properly configured in IPI Enterprise Server.

  3. Target users are added to the designated Active Directory group:

    • IPI Users Sync – required for any synchronization.

  4. Enable Single Sign-On must be enabled during Active Directory setup if you plan to use the IPI Authenticator mobile app for passwordless workstation login.

  5. The workstation is joined to the Active Directory domain.

  6. The IPI Client is installed on the user’s workstation.

  7. The workstation is approved in the IPI Enterprise Server (see the Workstations section).

Steps:

  1. In IPI Enterprise Server, navigate to Employees → Sync with Active Directory and click Sync Now.

  1. Imported users will appear in the employee list, marked as synchronized from Active Directory.

Note: If you encounter the error "Unavailable Critical Extension" during synchronization or password update, please follow our troubleshooting guide to enable Virtual List View in Active Directory.

Use Case: Passwordless Login with IPI Authenticator

When a user is imported into IPI Enterprise Server from Active Directory, they receive an invitation email.

Scenario 2: Importing Users with Automatic Password Change

Overview:

This scenario enables you to import users from Active Directory and enforce automatic domain password changes using IPI Keys.

  • Each imported user is assigned a new, strong, randomly generated password.

  • The password is updated both in Active Directory and securely stored on the user’s IPI Key.

  • This workflow requires IPI Keys.

  • Future password rotations are handled automatically based on a configured schedule.

Prerequisites

Before syncing users from Active Directory, ensure the following conditions are met:

  1. You are logged in as a user with administrator rights in IPI Enterprise Server.

  2. Integration with Active Directory is properly configured in IPI Enterprise Server.

  3. Users are added to:

    • IPI Users Sync group (for user import)

    • Security Key Auto Password Change group (for automatic password management)

  4. The user must have a IPI Key with one of the following statuses: "Ready", "Active", or "Reserved".

  5. The workstation is joined to the Active Directory domain.

  6. The IPI Client is installed on the user’s workstation.

  7. The workstation is approved in the IPI Enterprise Server (see the Workstations section).

Steps:

  1. In IPI Enterprise Server, navigate to Employees → Sync with Active Directory and click Sync Now.

  1. Imported users will appear in the employee list, marked as synchronized from Active Directory and associated with a domain account.

  1. Assign a IPI Key to each user and provide the user with an activation code.

  2. The user has to activate the IPI Key on the workstation.

Use Case: First Login with a IPI Key

After the key is assigned and the user receives their activation code:

  1. The user pairs or taps the IPI Key to the workstation.

  2. The user enters the activation code when prompted.

  3. IPI Enterprise Server generates a new domain password.

  4. The password is securely written to the key and updated in Active Directory.

  5. The user must activate the IPI Key on their workstation using the activation code.

Important: Without successful activation of the IPI Key, users will continue using their old domain password.

Note: After the password is updated, neither the user nor the administrator can view or retrieve it.

Optional Features for Password Management

In addition to the automatic password update workflow, IPI also supports optional manual and user-initiated password management features:

1. Administrator-Initiated Manual Password Changes

This scenario describes how an administrator can manually set or generate a new password for a domain user using the IPI Enterprise Server interface.

2. User-Initiated Password Changes

This scenario describes how a domain user can change their own Active Directory password via the IPI Client using a IPI Key.

The user has two options:

  • Change the password only on the IPI Key (the domain password remains unchanged).

  • Change the password in both Active Directory and the IPI Key simultaneously.

PreviousActive Directory (On-Premises)NextAdministrator-Initiated Manual Password Changes

Last updated