Wednesday, January 02, 2013 7:47 AM
When I try to run export in AD MA for provisioning some users I get this error “password-policy-violation”.
Even with that error the users are getting created, but the mailbox is not!
I disabled the password complexity policy and the minimum number of password digits is 1 but still the same!
Any idea why this error is showing up !?
Wednesday, January 02, 2013 3:35 PM
Are you users being created as enabled or disabled users? Are you using synchronization rules or provisioning code? Are you sure you are setting a password value for some value other than null.
Other possible causes: infrastructure problem with Kerberos which prevents password from being set
Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl
Thursday, January 03, 2013 1:06 AM
In addition to what Tomasz asked, how are you setting the password? (If it's a sync rule it should have "Initial Flow Only" selected.)
Also, are you able to manually create the user in AD with the expected password?
Hope that helps,
Thursday, January 03, 2013 8:21 AMTo investigate further, create a run profile to create a dump file for the changes in the AD and see what FIM wants to do with the password.
Thursday, January 03, 2013 9:12 AM
Is the password violation error message occurring during every export?
Are you exporting the password or only setting it during provisioning code?
When the object is created/provisioned the password is normally not changed anymore, did you already deleted the account and tried again. Are you sure the password policy applies to the correct domain/ou?
Are you trying to set the account to enabled but the password is not set then you will also get a sort of this error.
Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!
Monday, January 07, 2013 4:01 PM
It's likely the password is not being set at all, rather than the complexity. You will need to verify whether the correct ports are open for a password set (UDP 464 - Kerberos Change Password, see Management Agent Communication Ports, Rights, and Permissions). You should also verify the Active Directory MA service account has the permission to set and change passwords in AD.
Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
- Marked As Answer by Markus VilcinskasMicrosoft Employee, Owner Monday, January 21, 2013 3:28 PM