none
Initial Password Sync

    Question

  • Hi, I am consolidating several domains in to a single domain (all AD), and all this is absolutely fine. I am using classic provisioning and am setting the unicodePwd to an initial value. The problem is that when users in their source domain try to log in to the consolidated domain their passwords will not match. We're deploying PCNS and can change the accounts to force the users to change their password at next login to force the update, but is there a way during provisioning to have the initial password in the consolidated AD set to their current password in the source AD? I'm guessing not... Thanks, Martin
    Wednesday, January 30, 2013 3:23 AM

Answers

  • Hi,

    PCNS is the Password Change Notification Service...so it only triggers when a password is actually Changed.

    You can, however, set all passwords to a default value, that needs to be changed on first logon, which will trigger the change notification.

    Regards.

    • Marked as answer by CompetitiveDad Friday, February 01, 2013 1:28 AM
    Wednesday, January 30, 2013 7:33 AM

All replies

  • Hi,

    PCNS is the Password Change Notification Service...so it only triggers when a password is actually Changed.

    You can, however, set all passwords to a default value, that needs to be changed on first logon, which will trigger the change notification.

    Regards.

    • Marked as answer by CompetitiveDad Friday, February 01, 2013 1:28 AM
    Wednesday, January 30, 2013 7:33 AM
  • Martin,

    The FIM sync engine (so MIIS/ILM also) cannot read an existing password from AD (as it's stored encrypted in AD).
    This means that, as Stuart mentions, you can SET a password, sync a password change or reset a password with FIM, but retrieving an existing password from AD is not an option.

    There are some 3rd party tools that can sync existing password (in a secure way), but that will not allow you to get the password and set it as initial password in FIM.

    Kind regards,
    Peter 


    Peter Geelen (Microsoft Belgium) - Premier Field Engineer Security & Identity

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
    By marking a post as Answered or Helpful, you help others find the answer faster.

    Wednesday, January 30, 2013 12:02 PM
    Moderator
  • Thanks guys, figured that was the case, but I was asked, so I asked!
    Friday, February 01, 2013 1:28 AM
  • Passwords cannot be read from AD. Your only option is to force an password change/reset in the source that any new values is stored in the source and synched through PCNS to the target
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "CompetitiveDad" wrote in message news:083b449b-966f-4c40-bda6-55661adbda95@communitybridge.codeplex.com...
    Hi, I am consolidating several domains in to a single domain (all AD), and all this is absolutely fine. I am using classic provisioning and am setting the unicodePwd to an initial value. The problem is that when users in their source domain try to log in to the consolidated domain their passwords will not match. We're deploying PCNS and can change the accounts to force the users to change their password at next login to force the update, but is there a way during provisioning to have the initial password in the consolidated AD set to their current password in the source AD? I'm guessing not... Thanks, Martin

    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Thursday, February 07, 2013 3:23 PM