Controlling password synchronization for user accounts

You can control which users' passwords are synchronized by creating two local user groups: PasswordPropAllow and PasswordPropDeny. (Use Active Directory Users and Computers to create the two groups.)

In the PasswordPropAllow group, add the user names for which passwords should be synchronized. In the PasswordPropDeny group, add user names for which passwords should not be synchronized.

Passwords are synchronized for users who are in PasswordPropAllow and are not in PasswordPropDeny.

If PasswordPropAllow does not exist, the effect is the same as if it did exist with all user names in it. If PasswordPropDeny does not exist, the effect is the same as if it did exist with no user names in it.

These rules apply to synchronization from Windows to UNIX and from UNIX to Windows. If a user's password cannot be synchronized from Windows to UNIX, it cannot be synchronized from UNIX to Windows.

You can ensure that the passwords for certain users are never synchronized, even if synchronization is allowed by the Password Synchronization server. To ensure that a UNIX user account will never have its password synchronized with the Windows password, edit the sso.conf file to place the user name of the account, preceded by a minus sign (–), after SYNC_USERS=. For example, to ensure that the password of the root account is never synchronized with a Windows account by that name, make sure that the following line appears in sso.conf:

SYNC_USERS=–root

To control password synchronization for user accounts
  1. Open Active Directory Users and Computers.

    To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

    You can also open Active Directory Users and Computers from within Server Manager, by expanding Roles and then Active Directory Domain Services in the hierarchy pane, and then selecting Active Directory Users and Computers.

  2. In the hierarchy pane of the Active Directory Users and Computers snap-in, right-click Users.

  3. Point to New, and then click Group.

  4. Name the group PasswordPropAllow.

  5. In the Group scope area, select Domain local.

  6. In the Group type area, select Security.

  7. Click OK.

  8. Repeat the entire procedure through Step 7 to create a second group, but name the second group PasswordPropDeny.

  9. In the results pane, right-click the new PasswordPropAllow group, and then click Properties.

  10. On the Members tab of the PasswordPropAllow Properties dialog box, add the names of users for whom passwords should be synchronized. Click OK to close the Properties dialog box when your additions are complete.

  11. On the Members tab of the PasswordPropDeny Properties dialog box, add the names of users for whom passwords should not be synchronized. Click OK to close the Properties dialog box when your additions are complete.

Note

There is no command-line method for this procedure.

Additional references