none
AD to SunOne Password Synchronization (real-time PasswordLastSet sync as well?) RRS feed

  • Question

  • Hello, 

    I currently have password synchronization working between an AD Forest and a SunOne Directory server. I'd also like to sync the AD "PasswordLastSet" attribute and the SunOne "pdsAccountCredentialChanged" in real-time at the user password reset in AD. I currently have this working via a PS script that gathers all the users who changed their password in the last day and then updates their SunOne "pdsAccountCredentialChanged". I'd like to integrate this script into the PCNS workflow.

    If integrating into the PCNS workflow is an option, I wouldn't even know where to begin identifying the user who's currently changing their password. The only thing I can think of is to increase FIM logging and watch the events and parse out some type of UID. 

    Thanks for the help, 

    Joey


    Thursday, June 21, 2012 9:29 PM

Answers

All replies

  • Joey-

    Unless the Sun MA lets you specify a password extension (I don't think so), you're not going to be able to do this inline. You'd need to write a barebones LDAP XMA that can join each user in Sun to the metaverse and then write a password extension where in addition to setting the password you could do the other attribute updates.

    Perhaps an event triggered off of the events that PCNS logs would be an option? I don't recall what's in there. If you can post a couple sample events I can tell you how to correlate the data.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Thursday, June 21, 2012 10:53 PM
    Moderator
  • Hi Brian, 

    Below I've attached the four events that show up when a password is reset. I'm comfortable scripting event parsing and pulling out the needed data, but what I'm not comfortable with is a reliable way to 1) parse the events as to not to pull in data that I'v already parsed and 2) pull in events at an interval so that I don't miss events due to event rolling. In other words, I don't know how to script an event poller. Thanks for the help!

    Friday, June 22, 2012 12:26 AM
  • Joey-

    If you go in the event viewer and right click an event (I'd do 6903 here), you can pick "Attach a Task to this Event". Now each time an event 6902 fires, you'll be able to run a script. I don't know if there's a way to pass arguments from the event in to the task.

    You can use this WMI class (http://msdn.microsoft.com/en-us/library/windows/desktop/ms697741.aspx) and pass the Source Object GUID in for filtering. That way you can figure out who it is from the AD CSEntry and send what you need to Sun.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by Joey Piccola Friday, June 22, 2012 9:54 PM
    Friday, June 22, 2012 5:06 PM
    Moderator
  • Brian, 

    Wow, that's a great idea / feature. I don't know how I've managed to overlook that for this long. And yes, it would be great if there was a way to pass arguments from the event to the task. I've spent the last hour trying to make that work, still no luck. I'm going to keep trying, It would be the easiest way if I could get it to work. 

    You mentioned the WMI class MIIS_CSObject, or so I think. The link you pasted didn't work so I googled "ms697741.aspx". First problem, when I attempt a query I get "Get-WmiObject : Provider is not capable of the attempted operation". Second problem, I'm not sure where to begin though - what exactly were you suggesting by querying the MIIS_CSObject class?

    Thanks, Joey

    Friday, June 22, 2012 8:53 PM
  • The Source Object GUID in the event maps to the MIIS_CSObject Guid property, so, you can look that up to find out who the actual user is to backtrack to Sun.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Friday, June 22, 2012 9:01 PM
    Moderator
  • With the help of this article, http://blogs.technet.com/b/otto/archive/2007/11/09/find-the-event-that-triggered-your-task.aspx, exporting my Event Scheduled Task, adding the lines below to the exported xml file, re-importing the xml with the added lines, and then adjusting my Run Program Arguments to be "-WindowStyle Hidden & "C:\scritps\SendInfo2SunOne.ps1 $(eventRecordID)"", I'm able to get the RecordID of the Event that triggered the script via $args. I plan on having the script "SendInfo2SunOne.ps1" query for that event RecordID, parse out a UID, and then run my LDAP calls to Sun. I'll post all that when it's built.

    <ValueQueries>
     <Value name="eventRecordID">Event/System/EventRecordID</Value>
    </ValueQueries>

    Brian, thanks again for the help!



    Friday, June 22, 2012 9:54 PM
  • Joey,
    I need to do the same thing.  How is it working out?
    Thursday, October 18, 2012 10:45 PM
  • @yekolo1

    This was for a POC that hasn't been implemented yet. I got as far as testing the triggering of the script via the event. That worked :).

    Wednesday, October 24, 2012 6:44 PM