[Tips and Tricks] – How to synchronize passwords between two Active Directory domains?
One of the most common issues in dealing with multiple Active Directory domains is handling different sets of passwords. Be it for domain migrations or maintaining separate domains for desktop login and Exchange mail box access, users have to handle different passwords for each domain. This would complicate user password management and result in an increase in the number of password-related tickets, eventually affecting overall productivity.
This article will show how you can synchronize passwords between two or more AD domains using ADSelfService Plus.
Steps involved:
- Log in to the ADSelfService Plus web-console as an administrator.
- Navigate to Configuration > Self-Service > Password Sync/Single Sign On .
- From the list of all applications, select the Active Directory tile.
- In the configuration page, for the Domain Name field, select the AD domain to which passwords need to be synchronized.
- Provide a suitable description.
- In order to synchronize the passwords for a specific set of users (HR, admins, managers, or others), select the required OU or group-based policies from the Associate Policies drop-down list. [Note: You can create multiple OU and group-based policies in ADSelfService Plus that define the self-service features accessible to different users.] For example, if you wish to synchronize the passwords of all managers in your organization between two domains say, manageengine.com and america.manageengine.com, then select america.manageengine.com as Domain Name and the policy associated with managers in manageengine.com from the Associate Policies drop-down list. In this example, password changes in the manageengine.com domain will get reflected in the america.manageengine.com domain.
User account linking
Linking user accounts between domains is essential for password synchronization to work. By default, user accounts will be automatically linked based on the SAMAccountName AD attribute. ADSelfService Plus also allows you to link user accounts based on any attribute of your choice.
- Click on the Account Linking button in the top right corner of the Password Sync/Single Sign page.
- For the Select a Provider field, choose Active Directory from the drop-down list.
- In the System field, specify the domain that will be initiating password synchronization.
- Enable the Auto Account Linking option.
- In the Select Account Attribute field, choose the AD attribute based on which you need the user accounts to be linked for password synchronization. For example, you can select from employeeID, userPrincipalName, or other attributes to link accounts and synchronize passwords.
Like this tip? Get the most out of ADSelfService Plus by checking out more tips and tricks here.
New to ADSelfService Plus?