I have a domain pair with password sync enabled, however passwords are not syncing from source to target if the password on the target is changed. I have a case where I want to temporarily reset the password on the target user, do a thing, then have the Quest directory sync job change it back next sync cycle.
This does not appear to be happening though, what is the expected behaviour here? should I expect quest to re-sync the password if the PwdLastSet attribute on the target is newer
Thanks
Actually no. By default the newer target password would stop an older password from the source overwriting.
There are a few other issues with your use case. During a Delta sync, only changed attributes would be written to the target. In your use case the source passwords are not changed so the delta would not have that to even over write. A full sync is required for the pwdlastset logic to even come into play.
A migration session would try to migrate the password, and the pwdlastset does come into play.
Now there is a setting to override this logic for the directory sync server. It would impact all sync and migration operations running.
Again the only way the sync is going try to write the password during a delta sync is for it to be changed in the source. So exactly what you want can not be done.
The only way to get close is to Implement the setting in the attached KB. Then the process would be
I tried forcing a re-sync of the old password from the source by ticking on the 'require change next logon' on both ends, the pwdLastSet attrib has updated on the target account to 10 mins ago, so it looks like something changed, but the actual password on the target user still seems to be the new one, it hasnt actually re-synced from the source. Should this work or have I missed something?
thanks
I tried forcing a re-sync of the old password from the source by ticking on the 'require change next logon' on both ends, the pwdLastSet attrib has updated on the target account to 10 mins ago, so it looks like something changed, but the actual password on the target user still seems to be the new one, it hasnt actually re-synced from the source. Should this work or have I missed something?
thanks
Did you do a full resync sync?
Ah, no I just waited for the next delta cycle. Sorry for the dumb question, but how do I trigger a full sync, by stopping and restarting the sync job?
In the QMM, expand the domain pair and navigate to the sync node. Right click on the Sync node and stop the sync. Right click again on the sync node, Start and Resync.
I have got to ask. Why are you changing the PW of the target user anyway?
Thanks, I thought there might be something different becuase when you stop and start the sync agent it says it's doing a delta sync in the console.
Re the need to reset the password, there are a number of post migration steps that need to be done for each user for Outlook, regenerating a new WiFi certificate etc, we are doing these migrations remotely so just trying to complete the migrations for the users as it's too hard for them to have to log back into their apps themsleves..
I'm trying to get Quest to re-sync the old password so they don't have to reset it again after
As I said, the easiest way to deliver the functionality is to deploy another Directory Sync Agent on a separate server. This server would have the setting to allow the pwdlastset flag to be ignored and the password would be over written. This way you dont have to mess with the directory sync process at all.
