Requirements
Complete this checklist before starting the setup process.
Active Directory Requirements
Active Directory
- Windows Server 2012 R2 or later Domain Controller
- LDAPS (port 636) or StartTLS enabled on DC
- Ability to create service accounts
- Ability to delegate permissions on target OUs
Service Account Permissions
The service account needs these permissions on target OUs:
| Permission | Purpose |
|---|---|
| Read | Find users by sAMAccountName, email, phone |
| Reset Password | Reset passwords (unicodePwd attribute) |
| Write lockoutTime | Unlock accounts |
We provide a PowerShell script to configure these permissions automatically. See Permissions Script.
Network Requirements
Network
- Outbound HTTPS (443) to api.adunlock.me
- Connector server can reach Domain Controller on port 636 (LDAPS)
- No SSL/TLS inspection on connector traffic (breaks mTLS)
SSL Inspection Warning
If your firewall performs SSL inspection, you must exclude api.adunlock.me from inspection. The connector uses client certificates (mTLS) that will be broken by MITM inspection.
Firewall Rules Summary
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Connector | api.adunlock.me | 443 | TCP | Gateway connection |
| Connector | Domain Controller | 636 | TCP | LDAPS operations |
| Connector | Domain Controller | 389 | TCP | LDAP + StartTLS (alternative) |
Connector Server Requirements
Connector Server
- Windows Server 2016 or later (Windows 10/11 also works)
- 64-bit (x64) architecture
- 512 MB RAM minimum
- 50 MB disk space
- Network access to Domain Controller
Recommended Configuration
| Component | Minimum | Recommended |
|---|---|---|
| OS | Windows Server 2016 | Windows Server 2022 |
| RAM | 512 MB | 1 GB |
| CPU | 1 core | 2 cores |
| Disk | 50 MB | 100 MB (for logs) |
The connector is very lightweight. It can run on an existing server, virtual machine, or even a dedicated small VM.
WhatsApp Requirements
- Z-API account (z-api.io)
- WhatsApp Business number
- Ability to scan QR code to link device
About Z-API
AD Unlock uses Z-API for WhatsApp integration. You’ll need:
- Create a Z-API account
- Register your WhatsApp Business number
- Configure webhook URL (provided during setup)
- Keep a phone connected to scan QR code
Z-API requires a phone with WhatsApp to remain connected. For production, consider a dedicated phone or WhatsApp Business API (enterprise).
Admin Requirements
Admin Portal Access
- Azure AD or Google account for portal login
- Email access for receiving setup confirmations
Summary Checklist
Before proceeding to setup, confirm:
Ready to Start?
- Domain Controller with LDAPS enabled
- Ability to create service account with delegated permissions
- Server available for connector (Windows, can reach DC)
- Outbound HTTPS allowed to api.adunlock.me
- Z-API account ready or can create one
- Azure AD or Google account for admin portal
Ready to Start?
Once you’ve confirmed all requirements:
Need Help?
If you’re missing any requirements:
| Missing | Solution |
|---|---|
| LDAPS not enabled | See LDAPS Configuration |
| Can’t create service account | Contact your AD administrator |
| SSL inspection enabled | Request exception for api.adunlock.me |
| No Z-API account | Create one at z-api.io |