Using the Force Password Sync (FPS) option for NDS for NT
Novell Cool Solutions: Feature
Digg This -
Posted: 11 Jun 2001
Version: NDS for NT 2.0
We've had several inquiries about how to use FPS, so here's a nice explanation of how to set it, and how it affects migrated users.
Setting the FPS Option
NDS for NT 2.0 introduced a new feature called "Force Password Sync" (FPS). There are three places in NDS for NT 2.0 that allow the option Force Password Sync to be enabled.
- The first is during the NDS4NT install. During the initial migration you can check the box labeled Force Password Sync. This will cause the user's passwords to expire and will also cause the Force Password Sync box to be checked in the Domain Access page for the user's NDS object. When the user next logs in, they will be prompted to choose a new password. When they do, the password will be changed in both NDS and the domain.
- The second place for Force Password Sync to be enabled is as follows: when User Details is brought up for a user object, and the Domain Access page is selected, the Force Password Sync box is available. Once this is checked, password changes made through the object's Password Restrictions page will be synchronized with the domain password. This will be true for any Windows password change application but is not true of DOS applications such as SETPASS. See Help on the Domain Access page for further information.
- The third place to set Force Password Sync is in the Identification page for the domain object in the Advanced Settings. This setting is only for new users created with USER MANAGER FOR DOMAINS. Again, see the Help associated with that page for further information.
All of this is contingent upon using Novell Client for Windows 95 v 3.0 or higher or the Novell Client for Windows NT v 4.5 or higher.
If an existing NDS user is added to the domain object domain members, and the Force Password Sync box is checked for that user, when the user next logs in the password for NDS is still the same as it was and, since the user is new in the domain, the NT password will be no password. Once the password is changed, the passwords will be synchronized.
How FPS Affects Migrated Users
When FPS is set during Domain migration (during the installation of NDS for NT) it will affect the migrated users differently depending on the migration type. If the migrated user was set to "Create As," then FPS will be set ON for the NDS/NT user. If the migrated user was set to "Associate With" then FPS will be set to OFF for the NDS/NT user (unless it was set to ON prior to migration. The migration will not set it ON).
The NDS for NT migration will successfully migrate the NT MD40 encrypted password, so that the user will login to the NT Domain with the same password as they used before the migration. Once the migration has completed, the administrator must manually set FPS to ON for all users that were migrated with the "Associate With" setting. If there are a lot of users, it is recommended that the administrator use the "Details on Multiple Users" to set FPS to ON for all users in a container.
A potential problem is that any user that was migrated with the "Create As" setting will only be valid for an NT login. An attempt to login to NDS with this user will generate an error. See TID 2934587 for details on this issue. Administrators must set the NDS password or otherwise "touch" the password to create the necessary attribute links that will allow the user to login.
At this point, when the user logs in to NDS/NT one of the following will happen:
- If NDS and NT password were the same before migration and FPS is set to ON, the password was still expired. The user will successfully be logged into both NDS and NT with the single password, but will need to change their password.
- If the passwords were different before migration, then user will have to enter both passwords (the MS logon GUI will popup after Novell's NWGINA) and should mark the option for "Change your Windows NT password to match your NetWare password after a successful login" to change NT to match NDS. At this point if FPS is set to ON, the passwords will stay matched.
Once password are synched they will remain synched when using any of the following methods to change the password:
- User Manager for Domains
- Ctrl-Alt-Del and clicking on "Change Password"
- Using the "Change Password" button in NWADMN32 for the user object's details
- Changing password during login when the previous passwords have expired
A good method for future users is to create a User Template that has the appropriate Domain memberships with FPS set to ON. As mentioned above this will expire the NDS password and set the NT and NDS password to "No Password"/blank. After the first login, the user will prompted to change their password, which will change both the NDS and NT passwords.
For more information, see TID 10016390
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com