DirXML AD Driver synchronizes new users to AD with Account Disabled
(Last modified: 31Jul2006)
This document (10092822) is provided subject to the disclaimer at the end of this document.
fact
IDM 2.0
Nsure Identity Manager 2.0
Nsure Identity Manager 2.0.1
Novell Active Directory Driver
Password Policies
Windows 2003 Server
symptom
DirXML AD Driver synchronizes new users to AD with Account Disabled
The Password set in the Password Synchronization Policy is not synchronized to the AD user.
cause
The reason the account was being disabled was that no password was being set on user create, and they had a password policy in AD requiring a password on user accounts. The failure of the password to be set was due to the Global Variable: 'enable-password-subscribe' set to 'false'. This would result in the password being stripped from the xpath (as the rule was telling it to do). Once this was set to true, passwords on user creates would come over and the user object would be created as enabled in AD.
fix
If a password is desired on user creation (which by default will set the password = surname), change the Global Variable 'enable-password-subscribe' = True. This is done in iManager by going to the properties of the AD Driver -> Global Config Values -> Application accepts passwords from the DirXML data store = True. If this is not desired, but you still want accounts enabled on creation in AD, you must change your AD password policy making a password mandatory.
symptom
Could not set password via platform call. Err=2245
SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM)
cause
In this case the user was getting synchronized to AD with Account Disabled because the nspmDistributionPassword attribute for the User class in filter on the AD driver had been modified. It had been set to Synchronize for both publisher and subscriber.
fix
nspmDistributionPassword should be set to Notify for the Subscriber and Ignore on the Publisher. Make the change if this was the problem new users should be able to be created in AD without being disabled.
Also you will want to check the password policy. One instance we had to change it from disabled to not configured.
document
| Document Title: | DirXML AD Driver synchronizes new users to AD with Account Disabled |
| Document ID: | 10092822 |
| Solution ID: | NOVL96926 |
| Creation Date: | 11May2004 |
| Modified Date: | 31Jul2006 |
| Novell Product Class: | DirXML |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.