Identity Security Posture Management for Active Directory

Self-Service Password Management
for Active Directory

Empower users with secure self-service password reset, enforce MFA across your domain, and detect breached credentials before attackers do.

Get Started Free → How It Works
Features

Everything you need to secure AD passwords

ADPassSync intercepts password changes at the domain controller, enforces policy, and gives users a self-service reset portal with MFA.

🔒

Self-Service Password Reset

Users reset their own AD passwords through a secure web portal with multi-factor authentication. Reduces helpdesk tickets by up to 40% and eliminates the #1 IT support call.

🛡

Multi-Factor Authentication

Enforce MFA on password resets with TOTP, WebAuthn/FIDO2, Email, SMS, or Duo Security. Users enroll through the self-service portal. No per-user licensing fees.

🚨

Breached Password Detection

Every password change is checked against a bloom filter of known compromised credentials. Block breached passwords in real-time before they enter your directory.

📜

Advanced Password Policy

Go beyond AD's built-in policy with 10+ rule types: minimum length, complexity, dictionary words, keyboard patterns, character repetition, username inclusion, and more.

🔄

LDAP Target Sync

Automatically sync password changes to downstream LDAP directories, applications, and identity stores. Keep credentials consistent across your entire infrastructure.

💻

Windows Logon Integration

A Windows Credential Provider lets users initiate password resets directly from the logon screen — no browser needed, even when locked out of their workstation.

Architecture

Built for enterprise Active Directory

ADPassSync deploys across your AD infrastructure with a secure, distributed pipeline. No cloud dependency required.

💻
Password Filter DLL
lsass.exe on each DC
Agent
Named pipe + queue
🔃
Relay
Bridges air-gapped DCs
🌐
Central Service
DMZ / web portal
Passwords are envelope-encrypted on the DC (AES-256-GCM + RSA-OAEP). The relay never sees plaintext. All communication uses mTLS.
Security

Security isn't a feature — it's the foundation

Every design decision prioritizes the security of your credentials and your Active Directory environment.

Envelope Encryption

AES-256-GCM + RSA-OAEP. Credentials are encrypted on the DC and only decrypted by the central service.

Mutual TLS

All component-to-component communication uses mutual TLS with certificate pinning.

Zero Plaintext in Transit

The relay forwards encrypted blobs. No intermediate component ever sees the password.

Fail-Safe Design

If any ADPassSync component fails, AD password changes continue unaffected. We never break Active Directory.

On-Premises Deployment

Everything runs in your environment. No credentials leave your network. No cloud dependency.

Audit Logging

Every password event, MFA verification, and policy decision is logged for compliance and forensics.

Pricing

Start free. Scale when you're ready.

Full functionality for up to 50 Active Directory users. No credit card required.

Free
$0
Up to 50 AD users, forever
  • Self-service password reset
  • MFA enforcement (all providers)
  • Breached password detection
  • Advanced password policy
  • LDAP sync
  • Windows logon integration
Sign up & download
Professional
$5/user/year
For each user beyond 50, billed annually
  • Everything in Free
  • Scale beyond 50 AD users
  • Priority support
  • License file deployment via AD
  • Multi-forest support
  • Custom policy rules
Contact Sales
Contact

Get in touch

Questions about ADPassSync? Want to discuss pricing for your organization? We'd love to hear from you.