Notification

Planning your return to office strategy? See how ChromeOS can help.

How does Change Password Notifier for Active Directory work?

After CPN for AD is installed and configured, it invalidates a users’ password token each time an Active Directory user changes their password.

  1. When a user's password is changed, the update request is sent to a domain controller (DC).
  2. The CPN for AD Dynamic Link Library (DLL) is called by Microsoft Windows on that DC with the username.
  3. The service receives the username from the DLL.
  4. The service attaches the domain name from the config file (ChangedPasswordNotifier.config, parameter domain) to the username to get the email address for the user.
  5. The service updates your Google Account using the Device Token API. You must allowlist the API and open the HTTPS port 443. For Google Workspace APIs to work correctly, you must open several ports and add some host names to your allowlist.
    Purpose URL

    Authentication

    For more details, see Using OAuth 2.0 for Web Server Applications.

    https://accounts.google.com/o/oauth2

    https://www.googleapis.com/oauth2

    https://oauth2.googleapis.com/token

    Main API entry point

    https://*.googleapis.com

    (where * is any string not containing a period)

  6. The user is then asked to sign in online, or unlock their device depending on the SAML single sign-on policy setup, to update their local ChromeOS password. For more details, see step 4 in Configure SAML single sign-on for ChromeOS devices.

Technical details

  • CPN for AD has a DLL, changed_password_notifier_dll.dll, installed as an LSA Notification Package. For more information on LSA Notification Packages, see Installing and Registering a Password Filter DLL.
  • When a password is changed on a specific DC, the DLL receives the username of the user. CPN for AD must be installed on every writable DC because Windows on the DC that receives the password change triggers the password sync. The trigger happens on every password update, whether an admin or the end user does it. For more information about the PasswordChangeNotify callback function, see PSAM_PASSWORD_NOTIFICATION_ROUTINE callback function.
  • When the DLL receives the username, it sends it to the CPN for AD service.
  • The CPN for AD service, ChangedPasswordNotifier.exe, attaches the domain name from the config file, ChangedPasswordNotifier.config, parameter domain, to the username to derive the email address for the user.
  • The CPN for AD service notifies the Google Account using the Device Token API. Depending on the SAML single sign-on policy setup, users are required to sign in online the next time they are on the sign in or lock screen of their ChromeOS devices. For more details, see step 4 in Configure SAML single sign-on for ChromeOS devices.
  • The CPN for AD service follows Microsoft's password filter programming considerations. For details, see Password Filter Programming Considerations.
 
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
18092209523887533028
true
Search Help Center
true
true
true