The User Accounts That Are Supposed to Be Excluded by the Password Synchronization Feature May Not Be Excluded (296680)


The information in this article applies to:

  • Microsoft Windows Services for UNIX 2.0
This article was previously published under Q296680

SYMPTOMS

The user accounts that are supposed to be excluded by the Password Synchronization feature may not be excluded, and password changes to these accounts may occur unexpectedly.

CAUSE

This problem can occur if a UNIX administrator adds the "SYNC_USERS=-root -pat" line to the Sso.conf file so that all user passwords are synchronized, except for the "root" and "pat" user passwords. However, the exclude delimiter, the minus (-) symbol, is ignored (not recognized), which enables Password Synchronization to occur for the "root" and "pat" user passwords.

WORKAROUND

To work around this problem, use either of the following methods:
  • Explicitly list the users in the Sso.conf file by using the SYNC_USERS field. The plus (+) symbol delimiter is used to explicitly add a user, for example:

    SYNC_USERS=+fred +leon +ralph

  • Add the excluded users to a special group called "PasswordPropDeny" in either Microsoft Windows 2000 or Microsoft Windows NT. These users can be added by using Active Directory Users and Computers in a Windows 2000 domain or User Manager on a Windows NT 4.0 domain.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Modification Type:MajorLast Reviewed:5/18/2001
Keywords:kbenv kbprb KB296680
©2002 Microsoft Corporation. All rights reserved.