Chat now with support
Chat with Support

On Demand Migration Current - Active Directory User Guide

Password Sync

What is Password Sync?  

The Password Sync feature is designed to synchronize passwords from environment to environment without being directly tied to workflows.

However, a workflow that reads all the users in scope for password sync must exist and there must be a workflow that matches the source to target objects. If there is no match, passwords will not be synchronized.

 

How many agents can be set to monitor password changes?  

You may only have one agent set to detect password changes. Having a single agent for this task avoids conflicts caused by multiple agents updating passwords at the same time.

 

What does the Allow password changes option do?  

When the “Allow password changes” option is selected, objects passwords will be updated if matched to any environment set to detect password changes.

 

How is it determined which users are in scope for password sync?  

The environment filter determines which users are in scope for password change. if matched and in environment scope, they will be updated if a source changes.

 

Is two-way password sync possible?  

Two-way password sync is possible by selecting to monitor password changes in the source and target environments.

 

Are passwords encrypted during password sync?  

The password hash is stored encrypted in the database to determine if password changes must occur on the target. Passwords are never converted to plain text.

 

How often does the agent check for password changes?  

The agent designated for password change monitoring checks for changes every 30 seconds.

Creating an alert for when agents go offline is recommended in case the password monitoring agent encounters an issue.

 

What access is needed?  

The account that the agent has been configured with must have access to the admin$ share of the domain controllers.

 

Can password sync be applied to a subset of users?

A LDAP query can be entered in the LDAP Filter field to control the application of the Password Sync feature.

 

What is Password Propagation Service?

Password Propagation Service is a component of Directory Sync that allows password synchronization in environments without RC4 Encryption. Unlike the Legacy Password Monitor Service, which requires RC4 Encryption, Password Propagation Service simply copies the password from the source to the target. When a password changes in the source, the password filter installed on every domain controller in the source environment will capture the password and use the Password Propagation Service to set the password in the target using LDAPS security. Please refer to the On Demand Migration Password Propagation Service User Guide for installation/configuration.

 

What is Modern Password Monitor Service?

Modern Password Monitor Service adds support for Microsoft Advance LSA Protection by installing a Password Filter on the Domain Controller. Additional details about Modern Password Monitor Service can be found in the On Demand Migration Active Directory Modern Password Sync Setup Quick Start Guide.

Alerts

What is an Alert?  

Alerts may be added to keep administrators informed of the success completion and/or failure of any workflow. Alerts are delivered as status emails to the designated recipients. For each workflow choose the previously created alerts or add a new alert. Easily add multiple recipients, by separating the addresses with a semicolon.

 

Where do I manage Alerts?  

To manage workflow alerts, simply open the left navigation menu and click Alerts, located under Settings, see figure 1.

Figure 1: Directory Sync Setup and Settings Menu

Figure 1: Directory Sync Setup and Settings Menu

 

How do you setup a new Alert?  

Follow these steps to create a new workflow alert.

  1. Navigate to Alerts.
  2. Click New.
  3. Enter a Name, click Next.
  4. Enter recipients. To add multiple recipients, separate addresses with a semicolon ( ; ).
  5. Click Next.
  6. Choose Language preference, click Next.
  7. Choose which events trigger alerts.
  8. Choose Workflow Failure at a minimum.
  9. Do not choose Local Agent Offline for a Cloud only workflows and environments.
  10. Click Next.
  11. Click Finish.

 

How do you add an Alert to a workflow?  

Follow these steps to add an alert to an existing workflow.

  1. Navigate to Workflows.
  2. Locate and select Write workflow created earlier.
  3. Click the Settings button.
  4. Click Alerts.
  5. Click Add.
  6. Select the Alert created in the previous steps.
  7. Click OK.
  8. Navigate to Workflows.
  9. Repeat these steps for each workflow.

 

What workflow events can generate an alert?  

You can select to have an email notification sent when the workflow finishes for the following events:

  • Workflow Completion - A notification will be sent each time your workflow completes successfully.
  • Workflow Failure - A notification will be sent each time your workflow completes successfully.
  • Local Agent Offline - A notification will be sent each time local agents go offline.

 

How do I edit an Alert?  

Alerts can be edited on the Alerts page by selecting an Alert in the table and clicking "Settings."

 

How do I enable or disable an Alert?  

Active alerts can be disabled on the Alerts page by selecting the alert in the table and clicking "Disable." Disabled alerts can be activated on the Alerts page by selecting the alert in the table and clicking "Enable."

 

Additional Information  

Workflows

Workflow Test Mode

Evaluate Changed Objects Only

Scripts

What is a script?  

A script entry is used to securely store a PowerShell script file and can be run as part of workflow at any point in the process using the Script Task.

 

Where do I manage saved Scripts?  

To manage saved scripts, simply open the left navigation menu and click Scripts, located under Settings, see figure 1.

Figure 1: Directory Sync Setup and Settings Menu

Figure 1: Directory Sync Setup and Settings Menu

 

How do you select a PowerShell script to run?  

On the Run PowerShell Scripts screen, choose an existing script to run. Stop workflow on error will stop the workflow if an error is encountered, so placement of this step within the workflow sequence must be considered.

 

How do you add a new PowerShell script?  

On the Scripts page, click the New button to add a new script to the collection. Name your script, and choose a local environment for it to apply to. Directory Sync does not validate your scripts, so be sure that you test them first in a non-production environment. Note that all scripts are run under the service account and an account with the required AD Rights must be configured to logon to the service.

Data Sets

What is a Data Set?  

Data Sets can be used in conjunction with the “LookupValue” function to find source values and replace with target values.

 

What are Data Sets used for?  

Data Sets are ideal for managing long lists of replacement strings commonly associated with Directory migration and consolidation projects.

 

For example, if a Data Set is named "Domains" and you want to replace "contoso.com" with "hr.contoso.com", set the Key Value to "contoso.com" and Return Value to "hr.contoso.com".  Then in the appropriate attribute advanced mapping (e.g. UserPrincipalName) you could reference a formula like, LookupValue('Domains', s.UserPrincipalName, null)

This formula will find contoso.com from the UserPrincipalName attribute with hr.contoso.com.

 

Some other common uses cases might be:

  • Update common attributes values like Department from the old format to the new format (e.g. HR to Human Resources)
  • Reorganize OUs but applying data sets to determine the target OU
  • Map complex environments with multiple source domains to different target domains
  • Breakdown complex text strings into smaller pieces for use within another function

 

Where do I manage saved Data Sets?  

To manage saved data sets, simply open the left navigation menu and click Data Sets, located under Settings, see figure 1.

Figure 1: Directory Sync Setup and Settings Menu

Figure 1: Directory Sync Setup and Settings Menu

 

How do I create a new Data Set?  

To create a Data Set:

  1. Select "Data Sets" under Settings in the left navigation menu.
  2. Click “New”.
  3. On the General tab, enter a name and description for the Data Set and click "Save".
  4. Click the "Values" tab.
  5. Click "New" to enter key values and return values or click "Import" to choose a file of key values and return values. If importing a data set, click "Download Example" to download an example CSV.

 

How do I import a Data Set?  

On the Data Sets details screen, click the Import button to select a CSV with Key Value and Return Value columns.

Note: The imported CSV will replace any existing data in the data set.

 

Can you export a Data Set?  

Select the data set(s) and click the Export button to generate a CSV file of existing data sets. You can then use the Import action to upload modifications to the list if desired.

 

How do I archive a Data Set?  

Select the data set(s) and click the Archive button to archive the data set(s).

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating