I have a domain pair with password sync enabled, however passwords are not syncing from source to target if the password on the target is changed. I have a case where I want to temporarily reset the password on the target user, do a thing, then have the Quest directory sync job change it back next sync cycle.
This does not appear to be happening though, what is the expected behaviour here? should I expect quest to re-sync the password if the PwdLastSet attribute on the target is newer
Thanks
Actually no. By default the newer target password would stop an older password from the source overwriting.
There are a few other issues with your use case. During a Delta sync, only changed attributes would be written to the target. In your use case the source passwords are not changed so the delta would not have that to even over write. A full sync is required for the pwdlastset logic to even come into play.
A migration session would try to migrate the password, and the pwdlastset does come into play.
Now there is a setting to override this logic for the directory sync server. It would impact all sync and migration operations running.
Again the only way the sync is going try to write the password during a delta sync is for it to be changed in the source. So exactly what you want can not be done.
The only way to get close is to Implement the setting in the attached KB. Then the process would be
Thanks Jeff, that artice explains the behaviour well. I think disabling the check via registry isnt a good option as it may mess with users that have already been migrated. Checking password change required next logon' at both ends might get around it, but I was trying to avoid having to force users to change their passwords. Maybe if I turn that check off after doing what I need to do again might stop it needing to change? I'll test that out.
It's not the end of the world if I need to force a password change though, so I dont want to spend too much time on this
thanks
Thanks Jeff, that artice explains the behaviour well. I think disabling the check via registry isnt a good option as it may mess with users that have already been migrated. Checking password change required next logon' at both ends might get around it, but I was trying to avoid having to force users to change their passwords. Maybe if I turn that check off after doing what I need to do again might stop it needing to change? I'll test that out.
It's not the end of the world if I need to force a password change though, so I dont want to spend too much time on this
thanks
If you deploy another Directory Sync Agent (DSA) on another server, you can change just it’s settings. This would allow you one DSA for sync without the changes to the logic and one for Migration sessions with the logic.
