Synchronize Active Directory User Password with Local Server Password

Posted on 2011-10-25
Last Modified: 2012-08-06
Good morning-

We have a particular application in our environment that is not able to utilize Active Directory accounts for authentication.  Instead, it needs local accounts on the server running the program.  Separate from that, we have a production AD domain that has a user account for the people within our organization.  This is your standard AD domain that handles PC policies, password policies, houses our PC, servers, etc.  In order for one of our units to do their work, their AD account password and the local server password need to match (the local server account IDs are identical to the AD IDs, so John Doe has a DOMAIN\jdoe and a SERVER\jdoe account).

The problem comes when our AD password policies require the user to change their DOMAIN password.  This can be done from their PC without issue, but now the password for DOMAIN\jdoe does not match SERVER\jdoe and the application has issues.  At this point, they submit a ticket to our Help Desk, which sends it to Server Support (my unit).  A person from Server Support logs into SERVER, goes to the user's local account and the user enters the same password when prompted earlier by their PC so that now SERVER\jdoe matches DOMAIN\jdoe again.

Given that the application requires local accounts (this is already a touchy subject around here), is there a better way to keep these passwords synchronized?  If it's possible, we're not against a script that runs every X minutes and synchronizes their SERVER password to match their DOMAIN password.  Or something that the user can run when they change their DOMAIN password that will allow them to change their SERVER password without needing someone from Server Support to log them on to SERVER.

One final point, SERVER is also a member of DOMAIN and SERVER and the DCs for DOMAIN are all on the same subnet.
Question by:hesc_7555
    1 Comment
    LVL 11

    Accepted Solution

    When using application passwords, it is very common to use domain and user accounts that dont change. While it can be a secuity vulnerability, you can coordinate a manual password update interval and then get the script to change the password from

    Set objUser = GetObject("WinNT://atl-ws-01/Administrator")

    Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
    objOU.Filter = Array("Computer")

    For Each objItem in objOU
        strComputer = objItem.CN
        Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")

    or -


    I hope this helps


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now