Is it possible to configure QMM to ignore password policy when synchronizing a password?

I have a customer that is using QMM Two-way Dirsync to keep passwords in sync between objects in two separate domains. The sync works as expected, with passwords syncing when the changed password meets the password policy of the domain in which the password change is synced, and erroring out when they don't meet the password policy. The customer is dissatisfied with this result and wants to know if we can force QMM to sync a password even if it doesn't match the password policy. While I do not think this is a good idea, they asked me, and now I'm asking Quest.

Parents

0 alex neuman over 3 years ago

You can force QMM to try - which is basically what's going on. You can't force Active Directory to accept though. QMM can work with what AD lets it do - so it's not something you can force QMM to do, it's something you can tell AD to allow - which is to say you'd have to tell AD to relax its policies. There's nothing QMM can tell AD that will "convince" AD to do it.
Cancel
Up 0 Down

Reply

Verify Answer

Reject Answer

Cancel

Reply

0 alex neuman over 3 years ago

You can force QMM to try - which is basically what's going on. You can't force Active Directory to accept though. QMM can work with what AD lets it do - so it's not something you can force QMM to do, it's something you can tell AD to allow - which is to say you'd have to tell AD to relax its policies. There's nothing QMM can tell AD that will "convince" AD to do it.
Cancel
Up 0 Down

Reply

Verify Answer

Reject Answer

Cancel

Children

0 donparkerjr over 3 years ago in reply to alex neuman

Can you confirm that with Dev? For instance, when we reset a password in ADUC, we can violate the history requirement. Is there any way to force QMM to do an "administrative" password reset, using the syncing password?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Jeff Shahan over 3 years ago in reply to donparkerjr

Don

Password history can be your pain point. It is maintained independently in both directories. So yes, you can reset the password and violate the history, but the sync can't.

As you know, we sync/migrate the password HASH. So there is no way complexity can be validated. It is only blank password and history that is the issue. If the DC will not commit the "write" of the password, there is nothing we can do. They would need a solution that capture the password changes on the DC it is being changed and apply that change to the target directory. Something like One Identity Password Manager would fit that bill.
Cancel
Up 0 Down

Reply

Verify Answer

Reject Answer

Cancel
0 donparkerjr over 3 years ago in reply to Jeff Shahan

Hey Jeff!

Forgive my ignorance with One Identity Password Manager. Are you saying that OIPM can "sync" the passwords regardless of the history on the target account? If so, is this an on-going sync, or is it a manual process?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Jeff Shahan over 3 years ago in reply to donparkerjr

Yes there are two method that password can be replicated using Password Manager. So that would be what I would add if there was a need for bi-directional password replication is near real time.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel