The Password Sync feature is designed to synchronize passwords from environment to environment without being directly tied to workflows.
However, a workflow that reads all the users in scope for password sync must exist and there must be a workflow that matches the source to target objects. If there is no match, passwords will not be synchronized.
You may only have one agent set to detect password changes. Having a single agent for this task avoids conflicts caused by multiple agents updating passwords at the same time.
When the “Allow password changes” option is selected, objects passwords will be updated if matched to any environment set to detect password changes.
The environment filter determines which users are in scope for password change. if matched and in environment scope, they will be updated if a source changes.
Two-way password sync is possible by selecting to monitor password changes in the source and target environments.
The password hash is stored encrypted in the database to determine if password changes must occur on the target. Passwords are never converted to plain text.
The agent designated for password change monitoring checks for changes every 30 seconds.
Creating an alert for when agents go offline is recommended in case the password monitoring agent encounters an issue.
The account that the agent has been configured with must have access to the admin$ share of the domain controllers.
A LDAP query can be entered in the LDAP Filter field to control the application of the Password Sync feature.