In certain circumstances, such as resynchronization, Identity Synchronization for Windows must create accounts without passwords.
Directory Server
WhenIdentity Synchronization for Windows creates entries in the Directory Server, without a password, it sets the userpassword attribute to {PSWSYNC}*INVALID*PASSWORD*. The user will not be able to log into Directory Server until you reset the password. One exception to this is when you run resync with the -i NEW_USERS or NEW_LINKED_USERS option. In this case, resync will invalidate the new user’s password triggering on-demand password synchronization the next time the user logs in.
Active Directory
When Identity Synchronization for Windows creates entries in the Active Directory, without a password, it sets the user’s password to a randomly chosen, strong password that meets Active Directory password policy requirements. In this case, a warning message is logged and the user will not be able to log into Active Directory until you reset the password.
The following tables describe some different scenarios you might encounter as you work with Identity Synchronization for Windows:
This section describes how password policies affect synchronization and resynchronization.
Use this information as a guideline to help ensure that passwords will remain synchronized. (These tables do not attempt to describe all possible configuration scenarios because system configurations differ.)
Table 4–3 How Password Policies Affect Synchronization Behavior
Scenario |
Results |
||||
---|---|---|---|---|---|
User Originally Created In |
User Meets Password Policy In |
User Created In |
|||
Directory Server |
Active Directory |
Directory Server |
Active Directory |
Comments |
|
Active Directory |
Yes |
Yes |
Yes |
Yes | |
Yes |
No |
Yes (see Comments) |
No |
Users will be created in Directory Server. However, if deletes are synchronized from Active Directory to Directory Server then this user will be deleted immediately. See Active Directory Password Policies information. |
|
No |
Yes |
Yes |
Yes |
See Important Notes for more information. |
|
No |
No |
Yes (see Comments) |
No |
Users are created in Directory Server. However, if deletes are synchronized from Active Directory to Directory Server then this user will be deleted immediately. See Active Directory Password Policies information. |
|
Directory Server |
Yes |
Yes |
Yes |
Yes | |
Yes |
No |
Yes |
No | ||
No |
Yes |
No |
No | ||
No |
No |
No |
No |
Table 4–4 How Password Policies Affect Resynchronization Behavior
Scenario |
Result |
||
---|---|---|---|
Resync Command |
User Meets Password Policy In |
||
Directory Server |
Active Directory |
||
resync -c -o Sun |
N/A |
Yes |
User will be created in Active Directory but will not be able to log in. |
N/A |
No |
User will be created in Active Directory but will not be able to log in. |
|
resync -c -i NEW_USERS | NEW_LINKED_USERS |
Yes |
N/A |
User will be created in Directory Server and their password will be set when the user first logs in. |
No |
N/A |
User will be created in Directory Server but they cannot log in because their password violates the Directory Server password policy. See Important Notes and Creating Accounts Without Passwords more information. |
|
resync -c |
Yes |
N/A |
User will be created in Directory Server but they cannot log on until a new password value is set in Active Directory or Directory Server. |
No |
N/A |
User will be created in Directory Server but they cannot log on until a new password value is set in Active Directory or Directory Server. |