In order to retrieve a user’s password on the Publisher channel, the driver requires system permissions in addition to Active Directory permissions.
Identity Manager also configures specific permissions for its own internal components. On domain controllers, the PWFilter component runs using SYSTEM privileges, so the local system account should have full permissions to the HKEY_LOCAL_MACHINE\SOFTWARE\Novell\PwFilter\Data registry key, as well as any sub-keys.
The driver shim runs using SYSTEM privileges by default, so the system account should also have full permissions to the HKEY_LOCAL_MACHINE\SOFTWARE\Novell\PassSync\Data registry key, as well as any sub-keys. If the driver is run using any other account, that account should be given full permissions to the HKEY_LOCAL_MACHINE\SOFTWARE\Novell\PwFilter\Data registry key, as well as any sub-keys. The account should also be a member of the Administrators group.
NOTE:The driver automatically provides default permissions to both PWFilter and the driver shim. Modifying these permissions can affect the functionality of the driver and should be performed with caution.