You can determine whether the Distribution password for a specific user is the same as the password in the connected system.
In iManager, click to display the Identity Manager Administration page.
In the Passwords list, > click Check Password Status.
Browse to and select a user.
The Check Password Status task causes the driver to perform a Check Object Password action.
Not all drivers support password check. Those that do must contain a password-check capability in the driver's manifest. iManager does not allow password check operations to be sent to drivers that do not contain this capability in the manifest.
The Check Object Password action checks the Distribution password. If the Distribution password is not being updated, Check Object Password might report that passwords are not synchronized.
The Distribution password is not updated if either of the following occurs:
You are using the synchronization method described in Section A.1, Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults.
You are synchronizing Universal Password (as in Section A.2, Scenario 2: Using Universal Password to Synchronize Passwords), but you have not enabled the password policy configuration option to synchronize the Universal password to the Distribution password.
NOTE:Keep in mind that for the Identity Vault, the Check Password Status action checks the NDS Password instead of the Universal password. Therefore, if the user's password policy does not specify to synchronize the NDS password with the Universal password, the passwords are always reported as being not synchronized. In fact, the Distribution password and the password on the connected system might be in sync, but Check Password Status won't be accurate unless both the NDS password and the Distribution password are synchronized with the Universal password.
For the "Check Password Status” task, the following rights are necessary for a non-administrator to perform Identity Manager related tasks:
Browse rights with inheritance, to the Entry Rights of the Driver Set object to the non-administrator user
Read and Write access, with inheritance, to the DirXML-AccessCheckObjectPassword attribute of the Driver Set object to the non-administrator user
Read, Compare and Write access, with inheritance, to the DirXML-ConfigManifest attribute of the Driver Set object to the non-administrator user
Read, Compare and Write access, with inheritance, to the DirXML-ConfigValues attribute of the Driver Set object to the non-administrator user
Read and Compare access, with inheritance, to the DirXML-ServerList attribute of the Driver Set object to the non-administrator user
Read rights with inheritance,to the DirXML-Policies of the Driver Set object to the non-administrator user
Browse rights of the dirXML associations of User Container to the non-administrator user
Allow the non-administrator user to retrieve the passwords by adding them in the password policy. To do so, browse to iManager -> Passwords (role) -> Password Policies -> Sample Password policy -> Universal Password tab -> Configuration Options. Select “Allow the following to retrieve passwords” check-box to add this non-administrator user under the rule.
When a password synchronization operation is triggered on a user, the user's DirXML-PasswordSyncStatus attribute gets updated with the status of the <modify-password> operation. The value looks like:
39DB7DED8436EE4DF38039DB7DED843620140325141422721000000000001Code(-8032) Operation vetoed by policy
The first 32 bytes represent the GUID of the driver the user is associated with.
The next 17 bytes represent the password sync time in yyyyMMddHHmmssSSS format
The next 8 bytes are 00000000
The next 4 bytes indicate any one of the following status codes:
0000: ERROR
0001: WARNING
0002: RETRY
0003: FATAL
0004: SUCCESS
The next string is the status message, if any.