What is the best method of synchronizing passwords across eDirectory and Active Directory?

Posted on 2011-10-25
Last Modified: 2012-05-12
I am trying to find the simplest way of synchronizing login passwords for our users. I'm looking at Novell's Identity Manager, and Microsoft Identity Integration.  Both are rather complicated and overkill for what we are trying to do.  Does anyone have any suggestions, or experience?  We are using AD on MS 2003 server and Novell OES 2 SP2, we also have Zenworks and a Group Policies deployed....if this info helps.  Thanks!
Question by:sbaines
    LVL 19

    Accepted Solution

    If you have any mechanism to deploy user accounts you could use that same mechanism to change passwords. With the official identity management mechanisms the password change in any environment is captured and sent to the other.
    By using an external mechanism (e.g. through a webpage) you can change both passwords through LDAP. You have to make sure though that password changing throug the usual interface  (Ctrl-Alt-Del - Change password) is disabled.
    LVL 26

    Expert Comment

    I feel your pain with respect to trying to sync passwords.  Many of the directory sync products are bloat for what you want them for.  As deroode mentioned, gonig to an external password changing mechanism that can set both passwords at once could be your best bet.  

    What I would look into is various password self service products out there.  Many vendors offer multi platform support which would satisfy your needs.  It also kills two birds with one stone by offering your users a way to reset thier passwords themselves and offloading those calls away from your helpdesk.  ROI on these products are usually within a year or two.

    Author Comment

    Thanks to you both for your reply!  Yeah, right now my poor Help Desk guys have nothing but trouble with end-users just to change expired passwords.
    LVL 26

    Expert Comment

    About 40% of our helpdesk load between 7:30 to 9:00am was passwords resets.   Increasing their productivity as well as the users is easy ROI for a manager to see.

    These aren't the only two, but check out products like these:

    Both offer password sync options that will solve your initial problem.
    LVL 18

    Assisted Solution

    If you own ZENworks, you very likely own the Novell IDM starter pack that will sync user accounts and passwords between eDirectory and AD. Novell shipped the starter pack with ZEN because they realized that companies were authenticating to AD but wanting the power of ZENworks for desktop management.  ZENworks 7 and earlier requires eDirectory for its management.  ZENworks 10 and 11 is directory agnostic and will use eDirectory, AD or another LDAP source plus it keeps all of its objects in its own database and not in any directory service.

    The IDM starter pack is relatively straightforward to setup and works quite well to sync user and passwords between the two.

    LVL 34

    Expert Comment

    We use Novell IDM for this purpose. It might look like overkill, but it works as advertised. Listen to ZENandEmailguy about the Starter Pack.
    LVL 59

    Expert Comment

    by:Kevin Cross
    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    I came across this issue when setting up a two way forest level trust. so here's the scenario: A company wildcards acquired another company, bizworks ( both Fictitious). Wild cards: windows 2003 Domain & forest functional levels - Ad domain na…
    My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now