Event ID 12289 — UNIX to Windows Password Synchronization Service -- Run-time Issues
Applies To: Windows Server 2008 R2
UNIX to Windows Password Synchronization Service -- Run-time Issues indicates the functionality of UNIX to Windows password synchronization operations.
When Password Synchronization is configured for UNIX to Windows synchronization, and UNIX to Windows synchronization is functioning normally, passwords that are changed on UNIX hosts are synchronized on Windows-based computers and domains. The Password Synchronization pluggable authentication module (PAM) makes this possible by intercepting the password change request on the UNIX host, encrypting the password, and then sending the password change request to the Password Synchronization service running on the Windows-based computers with which it is configured to be synchronized.
|Product:||Windows Identity Management for UNIX|
|Message:||Password propagation denied for user. User is in PasswordPropDeny group. %ruser = %1|
Make sure that the user is not a member of the PasswordPropDeny group
Password propagation was denied for the user referenced in the error message. This user is in the PasswordPropDeny group. For more information, see "Controlling password synchronization for user accounts" in the Password Synchronization Help.
Controlling password synchronization for user accounts
You can control which users' passwords are synchronized by creating two local user groups: PasswordPropAllow and PasswordPropDeny. (Use Active Directory Users and Computers to create the two groups.)
In the PasswordPropAllow group, add the user names for which passwords should be synchronized. In the PasswordPropDeny group, add user names for which passwords should not be synchronized.
Passwords are synchronized for users who are in PasswordPropAllow and are not in PasswordPropDeny.
If PasswordPropAllow does not exist, the effect is the same as if it did exist with all user names in it. If PasswordPropDeny does not exist, the effect is the same as if it did exist with no user names in it.
These rules apply to synchronization from Windows to UNIX and from UNIX to Windows. If a user's password cannot be synchronized from Windows to UNIX, it cannot be synchronized from UNIX to Windows.
To remove users from the PasswordPropDeny group:
- Open Active Directory Users and Computers by clicking Start, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.
- In the hierarchy pane of the Active Directory Users and Computers snap-in, select Users.
- In the results pane, double-click the group PasswordPropDeny to modify its properties.
- On the Members tab of the PasswordPropDeny Properties dialog box, remove the names of users for whom passwords should be synchronized.
- Click OK to close the Properties dialog box when your additions are complete.
To verify the functional state of UNIX to Windows password synchronization, retry UNIX to Windows password synchronization. UNIX to Windows password synchronization is fully operational when the password synchronization succeeds, and functioning with warning conditions present if password synchronization fails for some passwords but succeeds for others.
If password synchronization succeeds for some passwords but fails for others, the UNIX to Windows Password Synchronization Service is likely fully operational, but there might be account- or computer-specific configuration problems preventing password changes from being synchronized on UNIX-based hosts.