Event ID 8204 — Windows to UNIX Password Synchronization Service -- Run-time Issues

Updated: December 16, 2008

Applies To: Windows Server 2008 R2

yellow

Windows to UNIX Password Synchronization Service -- Run-time Issues indicates the functionality of Windows to UNIX password synchronization operations.

When Password Synchronization is configured for Windows-to-UNIX synchronization, and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user's password is to be synchronized on UNIX computers. When the Password Synchronization service is operating normally, it encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The daemon then decrypts the password and changes the password on the UNIX host.

Event Details

Product: Windows Identity Management for UNIX
ID: 8204
Source: Microsoft-Windows-IDMU-PSync
Version: 6.0
Symbolic Name: MSG_ERROR_USER_DISABLED
Message: Password propagation failed. Logon account disabled for user on the specified host. %ruser = %1 %rhost = %2

Resolve

Make sure that the UNIX-based user account is not disabled

Password propagation failed. The account for user username on the specified host has been disabled. This error typically originates in the UNIX computing environment. Make sure that the user account has not been deleted on the UNIX-based host computer.,

If, after checking the UNIX environment, you find that the UNIX-based user account is not disabled, make sure that Password Synchronization has been configured in accordance with guidelines in Best Practices for Password Synchronization in the Password Synchronization Help, especially the following sections that describe how UNIX-based users should be identified to the Windows-based computer running Password Synchronization.

Best Practices for Password Synchronization

  • Configure Password Synchronization to provide the maximum protection for your users' passwords To maintain optimal security, do the following:
    • Explicitly list the users whose passwords are to be synchronized To provide maximum control over which users can synchronize passwords, do not use the ALL keyword with the SYNC_USERS list in sso.conf on the UNIX host. Instead, you should explicitly list each user for whom password synchronization is allowed or blocked. On the Windows-based computer running Password Synchronization, create the PasswordPropAllow group and add the accounts of users whose passwords you want to synchronize. For more information, see "Controlling password synchronization for user accounts."
    • Do not synchronize passwords for disabled UNIX accounts On some versions of UNIX, changing the password of a disabled user account activates that account. Consequently, if a user has a disabled account on a UNIX computer that is configured to synchronize passwords with a Windows-based computer, the user or an administrator can activate the UNIX account by changing the user's Windows password. To prevent this, use the PasswordPropDeny group to block synchronization for disabled UNIX accounts. Also, when an administrator disables a UNIX account, the administrator should use the SYNC_USERS entry in sso.conf to block password synchronization for the account.

If a user is in the Active Directory Users and Computers PasswordPropDeny group and should not be, follow the steps in the procedure "To control password synchronization for user accounts" in this section.

Controlling password synchronization for user accounts

You can control which users' passwords are synchronized by creating two local user groups: PasswordPropAllow and PasswordPropDeny. (Use Active Directory Users and Computers to create the two groups.)

In the PasswordPropAllow group, add the user names for which passwords should be synchronized. In the PasswordPropDeny group, add user names for which passwords should not be synchronized.

Passwords are synchronized for users who are in PasswordPropAllow and are not in PasswordPropDeny.

If PasswordPropAllow does not exist, the effect is the same as if it did exist with all user names in it. If PasswordPropDeny does not exist, the effect is the same as if it did exist with no user names in it.

These rules apply to synchronization from Windows to UNIX and from UNIX to Windows. If a user's password cannot be synchronized from Windows to UNIX, it cannot be synchronized from UNIX to Windows.

You can ensure that the passwords for certain users are never synchronized, even if synchronization is allowed by the Password Synchronization server. To ensure that a UNIX user account will never have its password synchronized with the Windows password, edit the sso.conf file to place the user name of the account, preceded by a minus sign (–), after SYNC_USERS=. For example, to ensure that the password of the root account is never synchronized with a Windows account by that name, make sure that the following line appears in sso.conf:

SYNC_USERS=–root

To control password synchronization for user accounts:

  1. Open Active Directory Users and Computers by clicking Start, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.
  2. In the hierarchy pane of the Active Directory Users and Computers snap-in, select Users.
  3. In the results pane, double-click the group PasswordPropDeny.
  4. On the Members tab of the PasswordPropDeny Properties dialog box, add the names of users for whom passwords should not be synchronized. Remove the names of any users for whom passwords must be synchronized. Click OK.
  5. In the results pane, double-click the PasswordPropAllow group.
  6. On the Members tab of the PasswordPropAllow Properties dialog box, add the names of users for whom passwords should be synchronized. Remove the names of any users for whom passwords must not be synchronized. Click OK to close the Properties dialog box when your additions are complete.

Verify

Retry Windows to UNIX password synchronization for failed user password changes to verify that it is operational. Password Synchronization is fully operational when the password synchronization succeeds, and operating under warning conditions if password synchronization fails for some passwords but succeeds for others.

If password synchronization succeeds for some passwords but fails for others, the Windows to UNIX Password Synchronization Service is likely fully operational, but there might be account- or computer-specific configuration problems preventing password changes from being synchronized on UNIX-based hosts.

Related Management Information

Windows to UNIX Password Synchronization Service -- Run-time Issues

Identity Management for UNIX

Community Additions

ADD
Show: