Password sync issue between edir and AD

We have IDM 4.5.2 syncing users between eDir and AD, and have password sync through that driver. If we have the user pwd expiring from eDir and the user logs into Groupwise they are prompted to change their password and that password change syncs. On the other hand, if we have the password expired in AD and the user is prompted from their Windows workstation to change their password, that does not sync. If the password in AD is not set to expire but the user changes their password on their workstation it syncs as it is supposed to.
What seems to be the problem is when the user is forced to change their password by AD. On a user object in iManager if I check their password status under those circumstances, it will display the following:

"Not Synchronized. Check password connection validation.Bind failed because of one or more of the following errors.The user's password must be changed before logging on the first time.Invalid Credentials"

Is this something to be expected? I do not have GroupWise accounts for all users so I cannot fall back to having eDir be the only place where their password would expire - I have to have AD do it.

Any feedback would be appreciated

  • No, and most-likely the symptoms are a coincidence.

    All password changes in MAD go to a DC, no matter what causes them, or who
    changes them, or anything else. The selection of DCs is almost always
    random, so you MUST have a filter running properly on all DCs. The
    most-likely cause for a password synchronizing less-than 100% of the time
    is one or more DCs missing the filter, so the password is only
    synchronized from MAD to eDirectory/vault when the user's workstation
    happens to hit DCs that do have the filter running properly.

    For more troubleshooting, post a level five (5) trace from the Remote
    Loader (RL) side at the time of the password change that is working, as
    well as the time of a password change that is expected to fail.

    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
  • All DCs in the domain have the filter. I will post a trace either later today or tomorrow
Reply Children