How does Change Password Notifier for Active Directory work?

After CPN for AD is installed and configured, it invalidates a users’ password token each time an Active Directory user changes their password.

1. When a user's password is changed, the update request is sent to a domain controller (DC).
2. The CPN for AD Dynamic Link Library (DLL) is called by Microsoft Windows on that DC with the username.
3. The service receives the username from the DLL.
4. The service attaches the domain name from the config file (ChangedPasswordNotifier.config, parameter domain) to the username to get the email address for the user.
5. The service updates your Google Account using the Device Token API. You must allowlist the API and open the HTTPS port 443. For Google Workspace APIs to work correctly, you must open several ports and add some host names to your allowlist.

   Purpose	URL
   Authentication For more details, see Using OAuth 2.0 for Web Server Applications.	https://accounts.google.com/o/oauth2 https://www.googleapis.com/oauth2 https://oauth2.googleapis.com/token
   Main API entry point	https://*.googleapis.com (where * is any string not containing a period)

6. The user is then asked to sign in online, or unlock their device depending on the SAML single sign-on policy setup, to update their local ChromeOS password. For more details, see step 4 in Configure SAML single sign-on for ChromeOS devices.

Technical details

• CPN for AD has a DLL, changed_password_notifier_dll.dll, installed as an LSA Notification Package. For more information on LSA Notification Packages, see Installing and Registering a Password Filter DLL.
• When a password is changed on a specific DC, the DLL receives the username of the user. CPN for AD must be installed on every writable DC because Windows on the DC that receives the password change triggers the password sync. The trigger happens on every password update, whether an admin or the end user does it. For more information about the PasswordChangeNotify callback function, see PSAM_PASSWORD_NOTIFICATION_ROUTINE callback function.
• When the DLL receives the username, it sends it to the CPN for AD service.
• The CPN for AD service, ChangedPasswordNotifier.exe, attaches the domain name from the config file, ChangedPasswordNotifier.config, parameter domain, to the username to derive the email address for the user.
• The CPN for AD service notifies the Google Account using the Device Token API. Depending on the SAML single sign-on policy setup, users are required to sign in online the next time they are on the sign in or lock screen of their ChromeOS devices. For more details, see step 4 in Configure SAML single sign-on for ChromeOS devices.
• The CPN for AD service follows Microsoft's password filter programming considerations. For details, see Password Filter Programming Considerations.