Detailed information on the new IDM 402 AD Driver feature "DC Passwords TimeToLive (minute):"

  • 7012989
  • 05-Aug-2013
  • 11-May-2020


NetIQ Identity Manager Driver - Active Directory
NetIQ Identity Manager Engine


The current docs list a new feature for the Active Directory Driver called "DC Passwords TimeToLive (minutes)"  The documentation only explains it with a brief explanation.  What are the background processes that are happening?
This is what is currently in the docs:

DC Passwords TimeToLive (minute): Specify the time limit in minutes for the passwords to be

stored in the Domain Controller registry.

This allows the passwords that are stored in the Domain Controller registry to time out if the

password does not synchronize to the driver within the specified time.

If this value is set to -1, passwords will never be deleted from the registry.

The default value is -0.


The password filter implements a feature that allows passwords stored in the Domain Controller filters to time out if the password does not get synchronized to the driver in a given amount of time. This time out behavior is controlled with the driver parameter "DC Passwords TimeToLive" . The password keys that outlive the time period set by the parameter are marked as stale and deleted. Such a setting on a Domain Controller, prevents accumulation of unnecessary password cache. The time interval mentioned in the parameter is set on all pwfilter DCs that this driver internally connects to.

If the option is left at the default of 0, then no entry appears in the registry. As soon as it is changed and the driver is restarted, the entry is added under the PwFilter key in the registry. The key is called TimeToLive and is a DWORD value.  If the entry is ever changed back to zero (or any negative number) then the registry entry is removed when the driver is restarted.

The PwFilter.dll wakes up every minute (this is hardcoded) and looks at each entry to see if the current time minus the DC Passwords TimeToLive value is greater than the current time. If the saved password outlives the time period set in "DC password Time to Live" parameter, then it is marked as stale and is flagged to be deleted.
i.e current_time - time_of_password_key_creation > DC password Time to Live,
then delete the password.

If yes, the password entry is removed. It uses filetimestamp to arrive at a conclusion whether a password key has
timed out

Removals of passwords are not recorded in the normal remote loader trace, but they are recorded if you use a debug filter and capture the output. This shows how it reads the timeout.
For example if you set to 3 minutes it wakes up every minute to
check for stale passwords (interval of one minute is hardcoded) and after 3
minutes it times out and clears the registry.

It is pretty easy to read in the debug. If you set a password and the driver is
offline with a 3 minute timout stored. You will see an RPC error when the
filter tries to send the password to the driver, the filter goes to sleep and
wakes up every minute. After 3 minutes, the filter will decide it needs to remove
the password and write in the event viewer that it will abort. This is
what you get in the event viewer:

The password for user lab10-test3 in directory was not
synchronized because the password change timed out.