Event ID 12290 — UNIX to Windows Password Synchronization Service -- Run-time Issues
Applies To: Windows Server 2008
.jpg)
UNIX to Windows Password Synchronization Service -- Run-time Issues indicates the functionality of UNIX to Windows password synchronization operations.
When Password Synchronization is configured for UNIX to Windows synchronization, and UNIX to Windows synchronization is functioning normally, passwords that are changed on UNIX hosts are synchronized on Windows-based computers and domains. The Password Synchronization pluggable authentication module (PAM) makes this possible by intercepting the password change request on the UNIX host, encrypting the password, and then sending the password change request to the Password Synchronization service running on the Windows-based computers with which it is configured to be synchronized.
Event Details
| Product: | Windows Identity Management for UNIX |
| ID: | 12290 |
| Source: | Microsoft-Windows-IDMU-PSync |
| Version: | 6.0 |
| Symbolic Name: | MSG_USER_NOT_ALLOWED_WARN |
| Message: | Password propagation denied for user. User is not in PasswordPropAllow group. %ruser = %1 |
Resolve
Make sure that the user is a member of the PasswordPropAllow group
Password propagation is denied for user username. User is not in the PasswordPropAllow group. For more information, see "Controlling password synchronization for user accounts" in the Password Synchronization Help.
Controlling password synchronization for user accounts
You can control which users' passwords are synchronized by creating two local user groups: PasswordPropAllow and PasswordPropDeny. (Use Active Directory Users and Computers to create the two groups.)
In the PasswordPropAllow group, add the user names for which passwords should be synchronized. In the PasswordPropDeny group, add user names for which passwords should not be synchronized.
Passwords are synchronized for users who are in PasswordPropAllow and are not in PasswordPropDeny.
If PasswordPropAllow does not exist, the effect is the same as if it did exist with all user names in it. If PasswordPropDeny does not exist, the effect is the same as if it did exist with no user names in it.
These rules apply to synchronization from Windows to UNIX and from UNIX to Windows. If a user's password cannot be synchronized from Windows to UNIX, it cannot be synchronized from UNIX to Windows.
To add a user to the PasswordPropAllow group:
- Open Active Directory Users and Computers by clicking Start, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.
- In the hierarchy pane of the Active Directory Users and Computers snap-in, select Users.
- In the results pane, double-click the group PasswordPropAllow to modify its properties.
- On the Members tab of the PasswordPropAllow Properties dialog box, add the names of users for whom passwords should be synchronized.
- Click OK to close the Properties dialog box when your additions are complete.
Verify
To verify the functional state of UNIX to Windows password synchronization, retry UNIX to Windows password synchronization. UNIX to Windows password synchronization is fully operational when the password synchronization succeeds, and functioning with warning conditions present if password synchronization fails for some passwords but succeeds for others.
If password synchronization succeeds for some passwords but fails for others, the UNIX to Windows Password Synchronization Service is likely fully operational, but there might be account- or computer-specific configuration problems preventing password changes from being synchronized on UNIX-based hosts.
Related Management Information
UNIX to Windows Password Synchronization Service -- Run-time Issues