Self-service identity security for Active Directory

Self-Service Password Management
for Active Directory

Cut helpdesk tickets, enforce MFA across your domain, block breached credentials, and sync passwords everywhere they're needed — all on-premises, with zero plaintext leaving your network.

Get Started Free → See How It Works
Free for up to 50 users No cloud dependency Deploys in under an hour
Overview

One platform for the entire password lifecycle

ADPassSync intercepts password changes right at the domain controller, enforces your policy, checks for breaches, and gives users a secure self-service reset portal with MFA — without ever sending credentials to the cloud.

👤
User
Portal, phone, or logon screen
🔐
Policy & MFA
Verify & enforce rules
🏢
Active Directory
Password set on the DC
🔄
LDAP Targets
Downstream sync
Every step is logged, encrypted, and runs entirely inside your network. AD password changes never break — even if ADPassSync is offline.
Features

Everything you need to secure AD passwords

Six capabilities, one lightweight deployment. Explore what each one does.

🔒
Self-Service Reset

Users reset their own passwords — securely

A clean, MFA-protected web portal lets users reset or unlock their Active Directory account in under a minute, from any device. The #1 helpdesk call disappears.

  • Cuts helpdesk tickets — up to 40% of all calls are password-related.
  • MFA-protected — every reset requires a verified second factor.
  • Works from any browser — no agent or VPN needed.
  • Windows logon integration — reset directly from the lock screen.
🔒 reset.acme.local/portal
✓ Identity
✓ MFA
New password
Set a new password
Signed in as jchen@acme.local
New password
••••••••••••••👁
At least 14 characters
Upper, lower, number & symbol
Not found in any known breach
Confirm password
••••••••••••••
Update password →
🔒 reset.acme.local/enroll
Enroll authenticator app
Scan the QR code, then enter the 6-digit code.
4
8
2
9
1
Verify & enable MFA
🛡
Multi-Factor Authentication

MFA on every reset — without per-user fees

Users enroll a second factor through the same self-service portal. Choose the providers that fit your environment and enforce them on every password operation.

  • TOTP authenticator apps — Google Authenticator, Authy, or the ADPassSync app.
  • WebAuthn / FIDO2 — hardware keys & platform biometrics.
  • Email, SMS & Duo Security — meet users where they are.
  • No separate MFA fees — every provider included for every account.
📜
Password Policy Engine

Go far beyond AD's built-in policy

Active Directory's native policy stops at length and complexity. ADPassSync adds 10+ configurable rule types so you can block weak, predictable, and guessable passwords before they're ever set.

  • 10+ rule types — length, complexity, dictionary, keyboard patterns, repetition.
  • Block context terms — username, company name, and custom blocklists.
  • Live feedback — users see exactly which rule failed and why.
  • Per-OU policies — stricter rules for admins and privileged groups.
🔒 admin.acme.local/policy
Password Policy — Default
📏Minimum lengthReject passwords shorter than the limit14 chars
🔢Character complexityUpper, lower, number & symbol3 of 4
📖Dictionary wordsBlock common dictionary termsOn
Keyboard patternsqwerty, asdf, 12345…On
🔁Character repetitionLimit repeated/sequential runsMax 3
👤Username inclusionReject passwords containing the usernameOn
📋Custom blocklistCompany names & seasonal terms42 terms
Candidate: Summer2024!hashing…
k1 ↓k2 ↓k3 ↓
Match found — password seen in known breaches. Rejected.
2B+compromised passwords checked in-memory, in microseconds
🚨
Breached Password Detection

Stop compromised passwords at the door

Every new password is checked against a bloom filter of over 2 billion credentials exposed in public breaches — in real time, entirely offline. No password or hash ever leaves your network.

  • 2B+ known-compromised passwords — sourced from public breach corpora.
  • Real-time blocking — rejected before the change reaches AD.
  • Fully offline — in-memory bloom filter, no external API calls.
  • Regularly refreshed — update the dataset as new breaches surface.
🔄
LDAP Target Sync

One password, consistent everywhere

When a user changes their AD password, ADPassSync can push that change to downstream LDAP directories and applications — keeping every system in sync without forcing users to juggle multiple credentials.

  • Sync to multiple targets — OpenLDAP, FreeIPA, app directories & more.
  • Per-target mapping — control which users and attributes sync where.
  • Encrypted in transit — LDAPS / StartTLS to every endpoint.
  • Retry & audit — queued delivery with full success/failure logging.
🏢 Active Directory
Password change detected
📁 OpenLDAP synced
🛡 FreeIPA synced
GitLab synced
📊 Jira synced
Architecture & Security

Security isn't a feature — it's the foundation

ADPassSync deploys as a distributed pipeline across your AD infrastructure. Passwords are envelope-encrypted at the domain controller and never appear in plaintext anywhere downstream.

🗃
Password Filter DLL
lsass.exe on each DC
named pipe
Agent
Encrypt & queue
mTLS
🔃
Relay
Bridges air-gapped DCs
mTLS
🌐
Central Service
DMZ / web portal
Passwords are envelope-encrypted on the DC (AES-256-GCM + RSA-OAEP). The relay only ever forwards encrypted blobs — it never holds a key.

Envelope Encryption

AES-256-GCM + RSA-OAEP. Credentials are encrypted on the DC and only decrypted by the central service.

Mutual TLS

All component-to-component communication uses mutual TLS with certificate pinning.

Zero Plaintext

The relay forwards encrypted blobs. No intermediate component ever sees the password.

Fail-Safe Design

If any ADPassSync component fails, AD password changes continue unaffected. We never break Active Directory.

On-Premises

Everything runs in your environment. No credentials leave your network. No cloud dependency.

Audit Logging

Every password event, MFA verification, and policy decision is logged for compliance and forensics.

🔒 admin.acme.local/dashboard
Dashboard
Licensed: 1,000 users
Resets (30d)
1,284
▲ 12% vs last month
MFA enrolled
94%
▲ 6% vs last month
Breaches blocked
37
this month
Active users
842
of 1,000 licensed
JCJane Chenjchen@acme.localReset · 2m ago
MOMarc Ortizmortiz@acme.localMFA enrolled
SKSara Kaneskane@acme.localReset · 14m ago
📊
Admin Console

Full visibility and control in one place

A web-based admin console gives IT a real-time view of reset activity, MFA enrollment, blocked breaches, and license usage — plus the tools to manage users and policy across the domain.

  • License management — track seats and deploy license files via AD.
  • Complete audit trail — every reset, MFA event & policy decision, searchable.
  • User management — unlock accounts, reset MFA, and review per-user history.
  • At-a-glance metrics — resets, enrollment rate & breaches blocked.
ADPassSync
Authenticator
Acme Corp (AD)
482 913
11s
VPN Gateway
205 774
21s
GitLab
639 018
16s
📷 Scan QR code
📱
Mobile App

A second factor in every user's pocket

The ADPassSync mobile app doubles as a TOTP authenticator and a self-service reset tool — so users can secure their account and recover access without ever calling the helpdesk.

  • Built-in TOTP authenticator — rolling 6-digit codes for AD and beyond.
  • Reset from your phone — change your AD password on the go.
  • QR-code enrollment — scan to add a new account in seconds.
  • Push-ready — approve sign-ins with a single tap.
Pricing

Start free. Scale when you're ready.

Full functionality for up to 50 Active Directory users. No credit card required.

Free
$0
Up to 50 AD users, forever
  • Self-service password reset
  • MFA enforcement (all providers)
  • Breached password detection
  • Advanced password policy
  • LDAP sync
  • Windows logon integration
Sign up & download
Professional
$5/user/year
For each user beyond 50, billed annually
  • Everything in Free
  • Scale beyond 50 AD users
  • Priority support
  • License file deployment via AD
  • Multi-forest support
  • Custom policy rules
Contact Sales

A user is any identity counted as an active Active Directory object — any account that has a password. Contact us for special pricing on non-human accounts (service, machine & shared accounts).

Contact

Get in touch

Questions about ADPassSync? Want to discuss pricing for your organization? We'd love to hear from you.