Resolution
fact
Directory and Resource Administrator 6.x
fact
Directory and Resource Administrator 7.x
symptom
User Accounts Do Not See Password Changes Immediately
symptom
After a password change in Directory and Resource Administrator a user account is unable to logon using the new password.
cause
Changes made in Directory and Resource Administrator (DRA) are written directly to the PDC when managing an NT4 domain and the domain controller closest to the DRA server when managing a Windows 2000 Active Directory. Because a user account may not be authenticated by the same domain controller DRA wrote the changes to, Active Directory replication must take place in order for the changes to be realized.
fix
Since DRA writes directly to the closest domain controller (Active Directory) the inability of the user to log on using the new password may be due to Active Directory replication latency. One solution for this issue is configure Active Directory replication to occur more often, thus decreasing the time taken to replicate changes to all domain controllers.
Directory and Resource Administrator 6.x
fact
Directory and Resource Administrator 7.x
symptom
User Accounts Do Not See Password Changes Immediately
symptom
After a password change in Directory and Resource Administrator a user account is unable to logon using the new password.
cause
Changes made in Directory and Resource Administrator (DRA) are written directly to the PDC when managing an NT4 domain and the domain controller closest to the DRA server when managing a Windows 2000 Active Directory. Because a user account may not be authenticated by the same domain controller DRA wrote the changes to, Active Directory replication must take place in order for the changes to be realized.
For more information regarding how DRA determines the closest domain controller, please refer to the following Knowledge Base article
NETIQKB1437 How does Directory and Resource Administrator determine the domain controller to which changes will be written?
fix
Since DRA writes directly to the closest domain controller (Active Directory) the inability of the user to log on using the new password may be due to Active Directory replication latency. One solution for this issue is configure Active Directory replication to occur more often, thus decreasing the time taken to replicate changes to all domain controllers.
Another workaround is to take advantage of the automation capabilities in DRA by implementing a post-task trigger to write password changes immediately to all domain controllers.
Additional Information
Formerly known as NETIQKB1826