Access Denied error managing Password Synchronization Filters

  • 3901539
  • 24-May-2007
  • 25-Nov-2015


Novell Identity Manager Identity Manager 3.0
Novell Identity Manager Identity Manager 3.5
Novell Identity Manager Password Synchronization
Novell Identity Manager Remote Loader


When attempting to view or manage Password Synchronization filters from the Control Panel applet labeled "Identity Manager PassSync" an error stating "Access Denied" is shown.

Error reading registry(5)

An error was encountered while querying for the status of the filter. (5) Access is denied.An error was encountered while querying for the status of the filter. (5) Access is denied.


Active Directory Driver
A few registry entries must be changed to restore normal operation to the applet and password synchronization.

In HKLM\Software\Novell\PassSync is a REG_DWORD value named 'Driver Machine' with number 0 in it. On the server running the driver (engine or RL server) this value should be 1.

In HKLM\Software\Novell\PassSync\Data is a REG_MULTI_SZ value named'Domains' with the name of the domain with password synchronization enabled in DNS format. For example '' (without quotation marks).

In HKLM\Software\Novell\PwFilter is a REG_MULTI_SZ value named'Host Names' (without quotation marks). The DNS name of the server running the driver should be entered in here. For example, '' (without quotation marks).
Similar NT Driver Issue:
This error was seen on the NT Controller running IDM 3.5 as well. The Password Filter was NOT picking up passwords and placing them into the registry. Downgrading the PWFILTER.DLL and PASSSYNCCONFIG.CPL to the versions that shipped with IDM 3.01 resolved the issue. The error was no longer received and it started capturing passwords.

Additional Information

This happens when the Identity Manager (IDM) documentation is not followed properly, primarily when adding a password synchronization filter to the Domain Controller (DC) running the IDM Active Directory (AD) driver whether it be an engine or Remote Loader (RL) server. After going into the Password Synchronization applet and selecting the domain the administrator can click on 'Filters' to see a list of all DCs in the domain. Selecting the server with the driver and clicking 'Properties' brings up a new dialog box that lets the driver be configured as if the box did not hold the driver. This applet makes the assumption that the server selected does not hold the driver because this is the wrong way to configure the driver server. As a result a few registry entries are changed which cause a change in code followed the next time the applet is loaded leading to the Access Denied error.

Or it could occur if you are moving the Remote Loader from one server to another.