Exclude new AD accounts from activating PCNS RRS feed

  • Question

  • We are using FIM 2010 R2 to provision accounts to two different Active Directory domains.  We use codeless provisioning.

    Users may start with an account in domain A or B only, and later on they get an account in the other AD domain.

    So if a user is created in domain A first and later on they are provisioned to B, PCNS is picking up the initial password for the newly created domain B account and then users are getting their existing passwords overwritten if they have other accounts linked in FIM.

    Besides adding sync rules to add a new account to a group recognized by PCNS for exclusion, is there another solution to prevent newly created AD accounts from triggering password changes?


    • Edited by Connor_ Thursday, September 4, 2014 5:23 PM
    Thursday, September 4, 2014 5:22 PM

All replies

  • You have only one-way password synch in PCNS, right?

    So the best option is to add a user to excluded group if he has only one account and move to PCNS-included once his SID and lastLogon attributes would return from second AD.

    I know that you would have to add some logic here, but it would be the simplest with codeless environment.

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, September 4, 2014 6:21 PM
  • Thanks Dominik.  PCNS is running for both domains and both ADMAs have password management, so a password change on either domain affects the other.

    I don't know if an exclusion group would work.  Would the AD account have to finish creating before adding it to the group?  If so, by then PCNS would have gotten the password.

    An inclusion group seemed like a lot of work for one need, though I think it would have succeeded.

    I did not test it, but I wonder if you could also have an "Initial Flow Only" to a domain without PCNS and then another flow to put it in the domain that you want so that the password is set in a non-PCNS environment.

    I think we'll use an IIF in the flow for unicodePwd so that if IsPresent(objectSid), return Null().  PCNS won't forward a bad password.  PCNS does forward passwords for AD accounts created as disabled if they have a good password.

    • Edited by Connor_ Wednesday, September 10, 2014 12:19 AM
    Wednesday, September 10, 2014 12:19 AM