Synchronize Active Directory User Password with Local Server Password
Posted on 2011-10-25
We have a particular application in our environment that is not able to utilize Active Directory accounts for authentication. Instead, it needs local accounts on the server running the program. Separate from that, we have a production AD domain that has a user account for the people within our organization. This is your standard AD domain that handles PC policies, password policies, houses our PC, servers, etc. In order for one of our units to do their work, their AD account password and the local server password need to match (the local server account IDs are identical to the AD IDs, so John Doe has a DOMAIN\jdoe and a SERVER\jdoe account).
The problem comes when our AD password policies require the user to change their DOMAIN password. This can be done from their PC without issue, but now the password for DOMAIN\jdoe does not match SERVER\jdoe and the application has issues. At this point, they submit a ticket to our Help Desk, which sends it to Server Support (my unit). A person from Server Support logs into SERVER, goes to the user's local account and the user enters the same password when prompted earlier by their PC so that now SERVER\jdoe matches DOMAIN\jdoe again.
Given that the application requires local accounts (this is already a touchy subject around here), is there a better way to keep these passwords synchronized? If it's possible, we're not against a script that runs every X minutes and synchronizes their SERVER password to match their DOMAIN password. Or something that the user can run when they change their DOMAIN password that will allow them to change their SERVER password without needing someone from Server Support to log them on to SERVER.
One final point, SERVER is also a member of DOMAIN and SERVER and the DCs for DOMAIN are all on the same subnet.