How to Prevent Syncing Old Password Changes from Active Directory

  • 7005006
  • 10-Dec-2009
  • 26-Apr-2012

Environment

Novell Identity Manager 3.6.1
Novell Identity Manager Driver - Active Directory
Novell Identity Manager - Password Synchronization

Situation

The Active Directory IDM driver and the password filters were installed.  However the driver has been in a disabled state for some time.
The AD password changes have been building up on the individual Domain Controllers in the HKLM\Software\Novell\Pwfilter\Data key.  How can the cached password events from AD be prevented from synchronising.

Resolution

- Stop or make sure the driver is stopped.

- Log onto the domain controller that is not syncing passwords.  Open Regedit and browse to the

HKEY_LOCAL_MACHINE\SOFTWARE\Novell\PwFilter\Data key.  By default you do not have permission to see what is under this key.  What is needed is to grant the person logged into the system permissions to that key and sub-keys.  Then you should be able to see a separate sub-key under the Data key for each password change that has not synced over to eDirectory.
 
- Delete all of the sub-keys but leave the Data key.
 
- Start the driver and let it get fully started including a successful connection to the AD Domain Controller that was down.
 
- On the Domain Controller that was down, change a password.  If it does not go over to eDirectory, then review the Remote Loader level 5 traces of the driver startup to see what kind of error happened when the driver tried to set up communications with the DC.  Look for DNS issues or RPC errors.  Also make sure that on the driver properties, the option "Password Sync Timeout (minutes)Description of global configuration value" is not set to 0.