Configure AD Settings
⏱️5 minutes
Configure the connection between AD Unlock and your Active Directory.
Steps
1. Navigate to Settings
- Log in to admin.adunlock.me
- Go to Settings → Active Directory
2. Configure Connection
Fill in the following fields:
| Field | Value | Example |
|---|---|---|
| AD Server | Domain Controller FQDN | dc01.company.local |
| Port | LDAPS port | 636 |
| TLS Mode | Connection security | LDAPS |
| Base DN | Root of AD search | DC=company,DC=local |
3. Configure Service Account
| Field | Value | Example |
|---|---|---|
| Service Account | UPN or DOMAIN\user | svc_adunlock@company.local |
| Password | Service account password | ••••••• |
The password is encrypted and stored securely. It’s never logged or exposed.
4. Configure Allowed OUs
Specify which OUs contain users who can use self-service:
OU=Staff,OU=Users,DC=company,DC=local
OU=Remote,OU=Users,DC=company,DC=local
OU=Contractors,DC=company,DC=localOnly users in these OUs will be able to use AD Unlock. Use this to limit scope.
5. Configure Denied Groups
Important: Block privileged accounts from self-service:
Domain Admins
Enterprise Admins
Schema Admins
Account Operators
Server Operators
Backup OperatorsSecurity requirement: Always deny Domain Admins and Enterprise Admins. Privileged accounts should not use self-service password reset.
6. Test Connection
Click Test Connection to verify settings.
✅Expected Result
✅ Connection successful
✅ Bind successful (as svc_adunlock)
✅ Search successful (found 150 users in base DN)
✅ Service account has required permissions🔧If Something Goes Wrong
| Symptom | Cause | Solution |
|---|---|---|
| Connection timeout | DC not reachable | Check firewall, verify DC hostname |
| Bind failed | Wrong credentials | Verify service account UPN and password |
| 0 users found | Wrong Base DN | Verify Base DN matches your AD structure |
| Missing permissions | Delegation not complete | Re-run permissions script |
Full Configuration Example
# Example AD settings
server: dc01.company.local
port: 636
tls_mode: ldaps
base_dn: DC=company,DC=local
service_account: svc_adunlock@company.local
service_password: ${AD_SERVICE_PASSWORD} # From environment
allowed_ous:
- "OU=Staff,OU=Users,DC=company,DC=local"
- "OU=Remote,OU=Users,DC=company,DC=local"
denied_groups:
- "Domain Admins"
- "Enterprise Admins"
- "Schema Admins"
- "Account Operators"Next Step
Last updated on