active-directorypasswordsidentity-managementtivoli-identity-manager

Active Directory Password Synchronization agent's Identity Manager User Password Expiry


Active Directory Password Synchronization agent is a tool supplied by IBM tivoli for Synchronizing the password with the enterprise applications that are integrated with Tivoli Identity Manager Application.This agent will be installed on all domain controllers in Infrastructure. Whenever a user or administrator changes the password this module captures the plain password and sends it to the tivoli identity manager platform. For this Active directory password Synchronization agent uses a ITIM(IBM tivoli identity manager) user and its credentials to propagate the password to ITIM. And the ITIM will have password rule that the password will expire in some number of days. The ITIM user of this AD agent also has to be changed when it got expired. When it got Expired when the user or administrator attempts to change the password can not change the password.

In test Systems we can just change the password of the user in ITIM and configure the AD Password Agent with the new password.

In production systems is there any way to propagate this change of password to all of the Active Directory domains ? How to handle this situation ?


Solution

  • If you are using a plateform before W2K8 R2.

    On a server, can't you configure ITIM service to run as Local Service, Network Service, or Local System ? Issues are, that these service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.

    On W2K8 R2 and Windows 7

    Two new types of service accounts are available in Windows Server 2008 R2 and Windows 7 : the managed service account and the virtual account.

    The managed service account is designed to provide crucial applications such as SQL Server and IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts (password is changed automaticaly).

    Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that can use a computer's credentials to access network resources.