Skip to main content

Connecting the Password Assistant App with Microsoft Active Directory

Introduction and Creating an Active Directory User

When setting up a connection between the Password Reset app and Microsoft AD, you will first need to create a new user in your Active Directory with the following assigned roles:

  • Replicating directory changes.

  • Replicating directory changes in filtered set.

  • Replicating directory changes all.

  • Read.

You will need to complete this step before proceeding. If you are unfamiliar with granting these specific permissions to a user, please refer to the following guide :



Downloading SYNC and Configuration Files

You will need to download the Microsoft AD connector executable file (IncidentIQ.Connectors.MicrosoftAd.exe). On the Password Assistant Overview tab, click the Download Local AD Password Assistant Executable button.

This application will need to be downloaded on a machine with network access to reach your AD server. You can run it on the AD server, but that’s not required. Additionally, the machine that runs the application must have the .NET framework v4.8 or higher.

Next, you will need to download the PasswordAssistant.conf file. In the Overview tab, click on the Download Configuration Template button. Once this file has been downloaded, save it with the name PasswordAssistant.conf, and place it in the folder with the password assistant application.

When setting up a policy to utilize the AD connector, you must ensure that the password reset requests are being directed to AD from accounts created by your AD/SSO integration.

This can be done by checking the box next to your app in the Login Providers section and selecting Local AD in the corresponding drop-down menu. Additionally, you will need to select the lookup field in the User Lookup Map for Local Ad section to utilize between iiQ and AD.

Please note that we support routing to AD from the following integrations:

  • ClassLink SSO

  • Enboard SSO

  • Google SSO

  • Microsoft Active Directory

  • Microsoft ADFS

  • Microsoft Azure

  • Rapid Identify



Configuring the Active Directory Integration

After you have created your AD user and downloaded the necessary files, you will need to extract the Microsoft AD Connectors file. Once all files have been extracted, move the PasswordAssistant.conf file into the sync application’s unzipped folder.

Next, run the application titled IncidentIQ.Connectors.MicrosoftAd.exe. This will open up a new application window.


In the top section of the application window, you will need to modify the following default settings: ad.username, ad.password, ad.domain, and ad.ip.

Important Note: All fields must be kept inside quotation marks. Data entered without these quotations will not configure correctly.


The ad.password value should be encrypted. To get the encrypted value to fill the settings, click the Common tab and enter the ad.password in the text field labeled Clear text. Copy the Encrypted value and paste it as the value for the ad.password setting.


Once all of your settings have been entered, click Save configuration.


After confirming that the configuration has been saved, click Run now. Running the application can take a while, depending on the number of users in your AD (syncing about 10,000 users takes roughly 10-15 minutes).

Upon completion, you will see a message stating, “Completed sending data to IncidentIQ.”




Creating a Scheduled Sync Task

To schedule the sync to occur automatically, you’ll need to create a task in Windows Task Manager. You can do so by searching for Administrative Tools and selecting Task Scheduler. This will open the Task Scheduler window.


In the Task Scheduler window, start by clicking on Action > Create Basic Task...


This will open the Create Basic Task Wizard. At the very least, you will need to provide a name for the new task. You can also add a task if desired. Once complete, click Next.


In the next step, you will be asked to select when this task should Trigger. We recommend running it daily (overnight) for the most accurate user data. Please ensure you set the task to run regardless of whether a user is logged in or not on the server. Once complete, click Next.


For the next step, you will need to specify what action the task will take when running. Select Start a Program and then click on Next.


When specifying the action to perform, locate the file IncidentIQ.Connectors.MicrosoftAd.exe in the Program/script file browser. Supply the argument -passwordreset in the Add arguments field. And finally, you will need to indicate the path you unzipped the files to in the Start in field. Once complete, click Next.


In the final step, you may review your task’s settings. Once you have completed your review, check the Open the Properties dialog for this task when I click Finish option and then click Finish.


In the properties pop-up window, begin by selecting Run whether user is logged on or not. Additionally, you will also need to check Run with highest privileges. Failure to check both options can prevent the connector from processing password reset requests.


Next, select the Triggers tab at the top of the window and click on the Daily trigger for this task.


Next, you will want to click on Repeat task every 5 minutes for the duration of 1 day. Once this is complete, click on OK to complete the setup.


---

Hannah Bailey - Director, Customer Engagement

Did this answer your question?