The Single Sign-On (Passthrough) authentication option is the default authentication type, and it allows you to authenticate to Passwordstate without having to manually enter your domain credentials.
The other 9 'Manual AD' authentication options will present you with a login dialog window where you must manually enter your domain credentials.
Both LDAP and LDAP over SSL (LDAPS) are supported for Active Directory communication, and can be configured per domain within Passwordstate.
Passwordstate also supports non-trusted domains, and can be installed on a server which is in a Workgroup, as opposed to a domain member - if you wish.
Access to all Passwords in Passwordstate are permission based, either using Read, Modify or Admin rights. When integrated with Active Directory, you can apply permissions using Active Directory Security groups, as opposed to just the users Active Directory domain account.
Majority of the menus and features in Passwordstate are also role-based, and again Active Directory Security groups can be used.
With the use of Security Groups for applying permissions everywhere, it's quite simple to establish your own Role-based Access Controls - import Security Groups of a certain type/role e.g. Sys Admins, Database Admins, etc, and when new users are added to the security groups, permissions are automatically granted for them.
In addition to synchronizing members of security groups, the status of a user's account in Active Directory can also by synchronized. If their account in AD is disabled, it will automatically be disabled in Passwordstate, preventing any further access to passwords.
If their account is deleted in AD, there are multiple options as to what you would like to do with their account in Passwordstate i.e. either delete, disable or do nothing with their account.
Both the synchronization of User Account status, and security group memberships, can be done on a scheduled - ranging from every 5 minutes, up to once a day.
It's also possible to store Active Directory accounts in Passwordstate, and then reset the password in Active Directory when required - either manually when needed, or on a schedule you choose.
If the AD account being reset is used for other Resources on your network (Windows Services, Scheduled Tasks, IIS Application Pools and COM+ Components), then these Resources can also have their passwords changed.
There is also a feature called 'Active Directory Actions'. This feature is of great use to Help Desk staff, as they can reset users' accounts on the domain, and then select one of the following actions to process for the AD account: