Event ID 12290 — UNIX to Windows Password Synchronization Service -- Run-time Issues

Updated: December 16, 2008

Applies To: Windows Server 2008 R2

yellow

UNIX to Windows Password Synchronization Service -- Run-time Issues indicates the functionality of UNIX to Windows password synchronization operations.

When Password Synchronization is configured for UNIX to Windows synchronization, and UNIX to Windows synchronization is functioning normally, passwords that are changed on UNIX hosts are synchronized on Windows-based computers and domains. The Password Synchronization pluggable authentication module (PAM) makes this possible by intercepting the password change request on the UNIX host, encrypting the password, and then sending the password change request to the Password Synchronization service running on the Windows-based computers with which it is configured to be synchronized.

Event Details

Product: Windows Identity Management for UNIX
ID: 12290
Source: Microsoft-Windows-IDMU-PSync
Version: 6.0
Symbolic Name: MSG_USER_NOT_ALLOWED_WARN
Message: Password propagation denied for user. User is not in PasswordPropAllow group. %ruser = %1

Resolve

Make sure that the user is a member of the PasswordPropAllow group

Password propagation is denied for user username. User is not in the PasswordPropAllow group. For more information, see "Controlling password synchronization for user accounts" in the Password Synchronization Help.

Controlling password synchronization for user accounts

You can control which users' passwords are synchronized by creating two local user groups: PasswordPropAllow and PasswordPropDeny. (Use Active Directory Users and Computers to create the two groups.)

In the PasswordPropAllow group, add the user names for which passwords should be synchronized. In the PasswordPropDeny group, add user names for which passwords should not be synchronized.

Passwords are synchronized for users who are in PasswordPropAllow and are not in PasswordPropDeny.

If PasswordPropAllow does not exist, the effect is the same as if it did exist with all user names in it. If PasswordPropDeny does not exist, the effect is the same as if it did exist with no user names in it.

These rules apply to synchronization from Windows to UNIX and from UNIX to Windows. If a user's password cannot be synchronized from Windows to UNIX, it cannot be synchronized from UNIX to Windows.

To add a user to the PasswordPropAllow group:

  1. Open Active Directory Users and Computers by clicking Start, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.
  2. In the hierarchy pane of the Active Directory Users and Computers snap-in, select Users.
  3. In the results pane, double-click the group PasswordPropAllow to modify its properties.
  4. On the Members tab of the PasswordPropAllow Properties dialog box, add the names of users for whom passwords should be synchronized.
  5. Click OK to close the Properties dialog box when your additions are complete.

Verify

To verify the functional state of UNIX to Windows password synchronization, retry UNIX to Windows password synchronization. UNIX to Windows password synchronization is fully operational when the password synchronization succeeds, and functioning with warning conditions present if password synchronization fails for some passwords but succeeds for others.

If password synchronization succeeds for some passwords but fails for others, the UNIX to Windows Password Synchronization Service is likely fully operational, but there might be account- or computer-specific configuration problems preventing password changes from being synchronized on UNIX-based hosts.

Related Management Information

UNIX to Windows Password Synchronization Service -- Run-time Issues

Identity Management for UNIX

Community Additions

ADD
Show: