Seems that the following procedure occurs after synchronization when the user logs in:
1. They type their Netware Password
2. It prompts them to change their AD password and they do which writes back to AD
3. On the 15 minutes, MSDSS tries to forward sync to Edirectory and for some reason set a blank password for the Novell password (I have no idea why, but it seems like it tries to set it to blank and then sets the actual password for the user. )
4. Edirectory says no to the blank password and fails to sync and furthermore, locks the account.
5. After another 15 minutes MSDSS syncs the account lockout to AD so both accounts are then locked.
6. This is an issue with both password expiration as well as the first synchronization.
In order to have this not fail:
1. Setup password requirements and lockout durations on the default domain policy or another GP inside of windows.
a. This will control passwords and password expiration instead of Edirectory
2. Remove “Require Password” under password restrictions for all users in Edirectory.
a. You can highlight them all and edit all at once.
3. Remove ‘Account has Expiration Date’ under “Login Restrictions” for all Edirectory users
4. You can do this at the OU level for both policies instead of on all of the users.
This allows for MSDSS to properly set the password without issues. In addition, this removes any confusion about which system will expire passwords and how that expiration will be updated on the accounts.
It might only concern doing 2 way sync and there are new procedures to properly create accounts in AD and Edirectory so they are created properly in the syncing directory when MSDSS syncs.
1. They type their Netware Password
2. It prompts them to change their AD password and they do which writes back to AD
3. On the 15 minutes, MSDSS tries to forward sync to Edirectory and for some reason set a blank password for the Novell password (I have no idea why, but it seems like it tries to set it to blank and then sets the actual password for the user. )
4. Edirectory says no to the blank password and fails to sync and furthermore, locks the account.
5. After another 15 minutes MSDSS syncs the account lockout to AD so both accounts are then locked.
6. This is an issue with both password expiration as well as the first synchronization.
In order to have this not fail:
1. Setup password requirements and lockout durations on the default domain policy or another GP inside of windows.
a. This will control passwords and password expiration instead of Edirectory
2. Remove “Require Password” under password restrictions for all users in Edirectory.
a. You can highlight them all and edit all at once.
3. Remove ‘Account has Expiration Date’ under “Login Restrictions” for all Edirectory users
4. You can do this at the OU level for both policies instead of on all of the users.
This allows for MSDSS to properly set the password without issues. In addition, this removes any confusion about which system will expire passwords and how that expiration will be updated on the accounts.
It might only concern doing 2 way sync and there are new procedures to properly create accounts in AD and Edirectory so they are created properly in the syncing directory when MSDSS syncs.
Comments
Post a Comment