none
PCNS flow question RRS feed

  • Question

  • hi,

    We have the following setup:

    PCNS is deployed in Forest B and C, which is configured to sync passwords for Staff (Staff Group in Forest C) and Students (Student Group in Forest B) to their respective accounts in Forest A. This is working fine.

    A new requirement is to have some of the Staff Forest C accounts created in Forest B. So here are some questions.

    1. Could we now setup PCNS in Forest C to also sync passwords to Forest B (for some of these new Staff accounts)?
    2. When Forest C Staff member changes their password (in Forest C), this password will be synced to their account in Forest B and Forest A; however, since PCNS in Forest B only monitors the Student AD Group (in order to synchronize to Forest A), any password changes to Staff members (not part of the Student AD Group) will be ignored. Is this correct?
    3. What if PCNS inclusion group was "Domain Users" in Forest B. When Forest C Staff member changes their password (in Forest C), this password will be synced to their account in Forest B and Forest A - would PCNS in Forest B be triggered for Staff again and password sync again to Forest A?


    Thank you,

    sk




    • Edited by Shim Kwan Thursday, April 24, 2014 3:58 AM
    Thursday, April 24, 2014 3:11 AM

Answers

  • Hi Shim,

    1. You can, but be aware of the loops - if you won't create any loop you can do this. (I was working at University during my studies - so I would be in Staff and Students Groups - my account could generate a loop in such configuration).

    2. Yes, if this account would not be in Inclusion group, password change would be noticed but would not be processed by PCNS.

    3. Yes, it would be re-triggered.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by Shim Kwan Thursday, April 24, 2014 7:06 AM
    Thursday, April 24, 2014 6:31 AM

All replies

  • Hi Shim,

    1. You can, but be aware of the loops - if you won't create any loop you can do this. (I was working at University during my studies - so I would be in Staff and Students Groups - my account could generate a loop in such configuration).

    2. Yes, if this account would not be in Inclusion group, password change would be noticed but would not be processed by PCNS.

    3. Yes, it would be re-triggered.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by Shim Kwan Thursday, April 24, 2014 7:06 AM
    Thursday, April 24, 2014 6:31 AM
  • thank you Dominik
    Thursday, April 24, 2014 7:06 AM