6.0 Checking the Password Synchronization Status for a User

You can determine whether the Distribution password for a specific user is the same as the password in the connected system.

In iManager, click to display the Identity Manager Administration page.
In the Passwords list, > click Check Password Status.
Browse to and select a user.

The Check Password Status task causes the driver to perform a Check Object Password action.

Not all drivers support password check. Those that do must contain a password-check capability in the driver's manifest. iManager does not allow password check operations to be sent to drivers that do not contain this capability in the manifest.

The Check Object Password action checks the Distribution password. If the Distribution password is not being updated, Check Object Password might report that passwords are not synchronized.

The Distribution password is not updated if either of the following occurs:

You are using the synchronization method described in Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults.
You are synchronizing Universal Password (as in Scenario 2: Using Universal Password to Synchronize Passwords), but you have not enabled the password policy configuration option to synchronize the Universal password to the Distribution password.

NOTE:Keep in mind that for the Identity Vault, the Check Password Status action checks the NDS Password instead of the Universal password. Therefore, if the user's password policy does not specify to synchronize the NDS password with the Universal password, the passwords are always reported as being not synchronized. In fact, the Distribution password and the password on the connected system might be in sync, but Check Password Status won't be accurate unless both the NDS password and the Distribution password are synchronized with the Universal password.

Understanding DirXML-PasswordSyncStatus Attribute

When a password synchronization operation is triggered on a user, the user's DirXML-PasswordSyncStatus attribute gets updated with the status of the <modify-password> operation. The value looks like:

39DB7DED8436EE4DF38039DB7DED843620140325141422721000000000001Code(-8032) Operation vetoed by policy

The first 32 bytes represent the GUID of the driver the user is associated with.
The next 17 bytes represent the password sync time in yyyyMMddHHmmssSSS format
The next 8 bytes are 00000000
The next 4 bytes indicate any one of the following status codes:
- 0000: ERROR
- 0001: WARNING
- 0002: RETRY
- 0003: FATAL
- 0004: SUCCESS
- 0005: PENDING
  
  NOTE:The 0005 status code indicates a password change has not synchronized because the driver is not running.
The next string is the status message, if any.

NOTE:For a Fan-Out driver, the value of the DirXML-PasswordSyncStatus attribute has a length of 93 bytes. Identity Manager appends the Fan-Out instance GUID after the Fan-Out driver GUID in the attribute value. For example, in a value F45B667425626A448C7BF45B66742562CBB39C8D3DB3904F866DCBB39C8D3DB320170118103001542000000000004, the first 32 bits represent the Fan-Out driver GUID followed by 32 bits of Fan-Out instance GUID. The remaining bytes represent the other values for the attribute.