This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best solution to synchronise password on two ways sync (and all others attributs only source => target)

Hi,

At this time we have defaut synchronisation SOURCE => TARGET. But when users must change password on TARGET, the users have 2 passwords...

We think to synchronize on two ways sync (SOURCE <=> TARGET) but we won't the SOURCE will be damaging. (groups members deleted on source ?...)

Maybe we can synchronize only password (SOURCE <=> TARGET) and all others defauts attributs (SOURCE => TARGET), but how ? (Using "attributes to skip" options ?...)

 

Thanks for your help and advices :)

  • Hi Cyril,

    What is the reason for wanting to sync pwd from target > source. Are you migrating people from Source > Target keeping their accounts active in the source? If so is their any reason for keeping them active in the source? If you are migrating users with SidHistory you can disable the source accounts after the migration, then the Target accounts will be able to access the source resources. This way the password from the source will never get synced from Source > Target after the migration. On another note the DSA will only sync the password from source to target if the password is newer then in the Target, or during a full dirsync (I might be mistaken on the last statement "or during a full dirsync")

  • Hi Enrico,

    We must keep source accounts active (for mails, applications : Sharepoint, BO,...) for the moment.
    Do you have some advices with this configuration ?
    Thanks
  • Thanks for the link but we would like to sync SOURCE <=> TARGET only the passwords,
    And SOURCE => TARGET, all defauts attributs in sync QUEST (Passwords included)
  • I am personally going to stray away from going down this path and recommend something, perhaps someone else would like to chime in, if not perhaps Support can refer you to PSO
  • We get the question, we want to know why? Just because you can does something does not mean it will meet the business requirements.

    For Example, the time it is going to take to "converge" the passwords as they change is going to be atleast 15 min, plus the replication time for the DC it was changed on to the DC the DSA is replicating from.
  • Are you not already running DirSync from Source to Target, which is different from running a migration session? If not you would need to setup this up, and secondly Luke Adams post addresses the pwd sync from Target > Source