-
タイトル
Requirements for a One-Time Password Sync -
説明
Password Sync Rules are used for dynamic password synchronization with Quick Connect / Synchronization Service between two domains. These are very useful to keep passwords up to date, however, the target password will only be updated upon a password reset in the source domain. It may be necessary to do an initial password synchronization to get all the passwords up-to-date on the target domain when synchronizing between Active Directory domains. -
対策
The following items need to be configured properly for a one-time password synchronization to work:
- A functioning connection to the source and target domains using either the Active Roles Server connector or the Quick Connect Express for AD connector.
- A successful mapping between both domains, configured for user accounts.
- Installed the Quick Connect / Sync Service Capture Agent on BOTH the source and target domains.
Once all of the above are in place, you will need to create a workflow that contains an UPDATE workflow step. In this update workflow step, create a forward synchronization rule and select the following attribute to be synchronized:
pwdHash
Save and run the workflow to do a one-time password synchronization from the source domain to the target domain.
Additional Notes
In a normal Active Directory scenario, the pwdHash attribute is not something that's properly exposed for use in password synchronization. This is why having the Quick Connect Capture Agent installed on both sides is necessary. This allows us to read the hash value from the source domain and update the target domain hash value without every having to know the password or do an actual password reset. With that said, if there is a more restrictive password policy on the target and the source password doesn't meet the requirement, it will in fact overwrite and update to the target and bypass the policy check, since the password value itself is never known.