MSDSS password sync

  • Thread starter Thread starter Rob Y.
  • Start date Start date
R

Rob Y.

Hi,

Is it true that MSDSS (even with two way sync enabled) cannot retrieve
passwords from eDirectory on reverse synchronization?

So for instance, if a user changes his password upon login through the
Novell client on his PC (because its expired), upon scheduled MSDSS sync
his AD account password will be reset to blank/preset/etc (since the
object has been changed but the password is un-encryptable)?

Also, when the user's password expires and he is on a grace login, how
can I add a windows domain account to the "Synchronize password with
these resources" list so that it can:

1) authenticate to the windows account using the old password (not
expired on the windows side)
2) change the windows password along side with the netware password when
he enters his new password clicks "OK"

If a user is logged on properly and not expired, all the accounts show
up in the resources list and a password change is no problem. Its only
when the password is expired that we get stuck in a pickle.

What I want is probably not possible but I'd thought I'd ask anyways..
ya never know!

Thanks,
Rob
 
Hi Rob,
Is it true that MSDSS (even with two way sync enabled) cannot retrieve
passwords from eDirectory on reverse synchronization?
Click to expand...
Correct. Reverse sync can only do users/group/OUs & attributes, not eDir passwords.
So for instance, if a user changes his password upon login through the
Novell client on his PC (because its expired), upon scheduled MSDSS sync
his AD account password will be reset to blank/preset/etc (since the
object has been changed but the password is un-encryptable)?
Click to expand...
Nope, the AD password is left alone. If the user logs into eDirectory & the domain, the password change prompt at the client will be able to set both. The blank/username/preset/random password setting is only applied to new accounts created by MSDSS in AD from eDir.
Also, when the user's password expires and he is on a grace login, how
can I add a windows domain account to the "Synchronize password with
these resources" list so that it can:

1) authenticate to the windows account using the old password (not
expired on the windows side)
2) change the windows password along side with the netware password when
he enters his new password clicks "OK"

If a user is logged on properly and not expired, all the accounts show
up in the resources list and a password change is no problem. Its only
when the password is expired that we get stuck in a pickle.

What I want is probably not possible but I'd thought I'd ask anyways..
ya never know!
Click to expand...
If I'm reading this correctly, you have a common user code & password. The password is expired on the eDir side, not the domain side (so the expiry is not synchronised). The user is logged into eDir on a grace login.

If I reproduce this scenario, I can change both passwords okay using the Novell client (via CTL-ALT-DEL > Change Password). Have I missed something? Are you trying to change the password at login time or at CTL-ALT-DEL? Both work fine here.

If you're changing it at login time, verify that "Synchronise this password with:" reads "<domain>\<username>" when changing passwords. If it reads "<domain>\" you need to check that the "local username" on the workstation tab contains the username, and is not blank. You can force this field to synchronise by setting the "don't display last username at logon" policy.

I found this out the hard way. I'm planning to use MSDSS & the Novell client in much the same way. If you haven't done so, suggest you set up a test replica of your production environment NOW to pick these little things up.

Hope that helps.

Cheers,

Marcus
________________________________________________________
Marcus Holland, Computer Systems Engineer (MCSE)
IT Services Department, Lincoln University, NZ.
Ext: 8033
Phone: 064-3-3253825
Fax: 064-3-3253865
Mobile: 0274-318-791
Email: (e-mail address removed)
Web: http://www.lincoln.ac.nz/its/profiles/hollam.htm

Non faciendum illigitatus carborendum
 
Hi Marcus,

Thanks for your prompt replies..

Yes the user is logged in with a grace login. If the user says no to
change password now, they will get dumped to the desktop. If at that
point they hit CRTL-ALT-DEL and change their password, all the resources
are listed and changed. I am having a problem however when they click
"Yes" to change their password at the login. The only thing in
"Synchronize this password with:" is the local PC's user account, not
any of the associated domain accounts. How can I add domain accounts to
this list?

Thanks,
Rob
 
It will only synchronize for accounts that have been logged into that
workstation before. Once a successful login is there, it will work on a
per-user basis.

You might want to look at the DirXML and account manager for Novell. They
do allow for AD agents and two way sync between eDir and AD.
 
Back
Top