Sign in
Get Help

Active Directory Password Rotation

Rotate Active Directory on-premises passwords with a single click to reduce manual administration.  Passwords changed in Network Glue will automatically update in Active Directory, which helps eliminate human errors. With this feature you can also bulk rotate multiple passwords at the same time.

Other Benefits include:

  • Discover new Active Directory passwords that are not yet recorded in IT Glue and easily update them to minimize security vulnerabilities.
  • View password details such as last rotated, status, updated date, and the network and organization it belongs to.


  • An active Network Glue setup.
    Active Directory settings should be filled. For more information, see Setting up Network Glue for an IT Glue organization.
  • Active Directory users sync needs to be enabled.
  • Administrator access to IT Glue. This feature is not available for users with IT Glue Custom Role that has access to Network Glue administration.
    Warning: The AD password must be updated to ensure sync can continue with Network Glue.
    Admin passwords that are used to set up the Active Directory connection with Network Glue, can be rotated. To rotate this password, users need to match network to a corresponding password in the Network Settings/account/networks. Until the user matches the corresponding admin password in the settings, they will get the "Not Permitted" status when trying to rotate it.


    1. Log in to your IT Glue account and navigate to Account > Password Rotation and enable the option Enable for Active Directory On-Premises.
    2. In the Global Settings section, configure the following:
      • The minimum character length of a password.
      • The character requirements for a password.
        • At least one uppercase character
        • At least one lowercase character
        • At least one number
        • At least one non-alphanumeric character
          Warning: Set a password policy that is equivalent to or exceeds the most restrictive policy setting for all your Active Directory environments connected to Network Glue.
          Note: Enable the option Enable Scheduled Rotation to select the frequency at which to rotate your matched password. For more information, see Scheduling Password Rotation.
    3. Click Match Passwords to filter and approve the password matches.
      • Matching passwords on this tab will not change password in Active Directory.
      • Matching is required to ensure that the password rotation is correctly applied between your users in Active Directory and IT Glue.
      • After the rotation is performed, the newly created password will match between IT Glue and Active Directory.
      • If you change passwords manually in IT Glue, the change will not return to Active Directory directly unless you click rotate and the rotation is successful.
      • Confirming matched passwords also serves as your approval for us to rotate a password
    4. IT Glue will present your password from Active Directory and suggest matches for you. Under Unmatched tab in the Match Passwords window, select the preset filter Suggested to sort the list by suggested matches.
      • Suggested matches are based on exact username.
      • A green checkmark will appear under Actions, when an individual match is found.
      • A grey checkmark will appear when no match or multiple matches are found. You must then search and select a password.
      • The X option will move the password to the Ignored tab.
    5. For bulk matching, select the checkbox for the password records you want to match and click Approve or Ignore. The approved records will be displayed in the Matched tab.
      Note: For an unwanted password match, click Ignore. These passwords will be displayed in the Ignored tab.
    6. On the Matched Page, you will see user passwords that are approved for rotation.
      If a password was approved by mistake, then select X or Ignore. The password will be moved back to the unmatched or Ignored tab.
    7. The Ignored tab will contain Passwords not approved for rotation, they won't count as unmatched items in subsequent syncs.
      To be able to rotate them again, click Match button for a single or multiple user passwords.
    8. Click Done. You can view the password-matched status on the Password Rotation page. To rotate a password, click Rotate under the Actions column.
      To rotate passwords in bulk,
      select multiple password checkboxes and click Rotate.
      You can also view the auto-rotation status by navigating to the organization to which the password belongs. To rotate a password from the Passwords page, click on the Rotate button.


Note:When a password is rotated by a user, the Password Revisions on the right sidebar will display a new version. By restoring to a previous version, the change will not be automatically updated in the Active Directory.

Important: Currently, users will not be able to rotate passwords used in Network Glue > Active Directory. When trying to rotate this password, a user will see Not Permitted - Admin error.

Statuses and Error Messages

The following is the description possible statuses displayed after initiating a password rotation:

  • Ready to rotate – Password has matched but were not rotated by the user.
  • In Progress – Rotation has been initiated and is awaiting a response.
  • Not Permitted – User tried to rotate a vaulted password.
  • Not Permitted - Admin – User tried to rotate a password that is used to set up the Active Directory connection with Network Glue.
  • Pending – Rotation is currently processing.
  • Successful – Password rotation is successfully executed.
  • Failed — Password rotation execution has failed. Please contact IT Glue Support.
  • Connection Error – Network Glue was able to establish a connection with AD after 10 minutes. User should try again.
  • API Error – Error message from the MS API.

The following are the possible reasons for an error in password rotation:

  • Failed to find user
  • OnPremisePasswordValidationTimeSkew (Occurs due to time skew between the machine running the authentication agent and Active Directory. Fix the time sync issues).
  • BadResourceRequest (Log in the Azure portal, and check App registrations > Endpoints to confirm that the two endpoints were configured correctly).
  • An unexpected error has occurred during a password set operation.

Note: If a user set up a minimum password age in the Active Directory, and rotates the password in IT Glue, the next successful attempt to rotate this same password will accrue only after the completion of the period that is set up as the minimum password age.

Activity Logs 

When selecting Category dropdown > select new “Passwords Rotation” entity, the results will filter and include results for “AD Password Rotated” and “AD Password Matched”.

“Passwords Rotation” entity includes the following Actions:

  • “AD Password Rotated”
  • “AD Password Matched”
  • “AD User Ignored”

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section