When Identity Synchronization for Windows creates entries in Active Directory without a password, it sets the user’s password to a randomly chosen, strong password that meets Active Directory password policies. In this case, a warning message is logged, and the user will not be able to log in to Active Directory until you reset the password.
The following tables show some scenarios that you might encounter as you work with Identity Synchronization for Windows.
This section describes how password policies affect synchronization and resynchronization.
These tables do not attempt to describe all possible configuration scenarios because system configurations differ. Use this information as a guideline to help ensure that passwords will remain synchronized.
Table 2–3 How Password Policies Affect Synchronization Behavior
Scenario |
Results |
||||
---|---|---|---|---|---|
User Originally Created In |
User Meets Password Policy In |
User Created In |
|||
Directory Server |
Active Directory |
Directory Server |
Active Directory |
Comments |
|
Active Directory |
Yes |
Yes |
Yes |
Yes | |
Yes |
No |
Yes (see Comments) |
No |
User will be created in Directory Server. However, if deletions are synchronized from Active Directory to Directory Server, this user will be deleted immediately. See Active Directory Password Policies information. |
|
No |
Yes |
Yes |
Yes |
See Active Directory Password Policies information. |
|
No |
No |
Yes (see Comments) |
No |
Users will be created in Directory Server. However, if deletions are synchronized from Active Directory to Directory Server, this user will be deleted immediately. See Active Directory Password Policies information. |
|
Directory Server |
Yes |
Yes |
Yes |
Yes | |
Yes |
No |
Yes |
No | ||
No |
Yes |
No |
No | ||
No |
No |
No |
No |
Table 2–4 How Password Policies Affect Resynchronization Behavior
Scenario |
Result |
||
---|---|---|---|
Resync Command |
User Meets Password Policy In |
||
Directory Server |
Active Directory |
||
resync -c -o Sun |
N/A |
Yes |
User will be created in Active Directory but will not be able to log in. |
N/A |
No |
User will be created in Active Directory but will not be able to log in. |
|
resync -c -i NEW_USERS | NEW_LINKED_USERS |
Yes |
N/A |
User will be created in Directory Server, and the user's passwords will be set when the user first logs in. |
No |
N/A |
User will be created in Directory Server but cannot log in because the password violates the Directory Server password policy. |
|
resync -c |
Yes |
N/A |
User will be created in Directory Server but cannot log in until a new password value is set in Active Directory or Directory Server. |
No |
N/A |
User will be created in Directory Server but cannot log in until a new password value is set in Active Directory or Directory Server. |