This Management Agent for MIM 2016 allows synchronizing passwords between two (or more) Active Directory forests. It is intensively based on Søren Granfeldt's PowerShell Management Agent and Michael Grafnetter's DSInternals libraries.
This MA is to be used on MIM 2016. Of course you need it installed beforehand.
You must have Søren Granfeldt's Powershell Management Agent installed.
The Management Agent account must have the following permissions
-
Source directory: "Replicate Directory Changes" and "Replicate Directory Changes All" on the domain root
-
Destination directory: "reset password" permissions on the target accounts
-
Copy source to a directory of your choice, for example C:\Scripts\PwdHashConnector
-
Download and copy Michael Grafnetter's DSInternals Powershell module to the same directory. You now have the following content:
-
Create event log source:
New-EventLog -Source "PwdHashConnector" -LogName Application
In the Metaverse Designer, add a binary attribute to the class "person".
- Schema Script: Full path to pwdhash-schema.ps1
- Username: Domain\user account used to connect your Active Directory (see Prerequisites)
- Password: Password for this user account
- Configuration parameters :
DomainName: Target Active Directory domain(no more required)- ServerName: FQDN of the domain controller to query
- BaseDN: OUs to search accounts for. The first character specifies the separator. Example with a pipe as separator: BaseDN=|OU=External,OU=Accounts,DC=contoso,DC=local|OU=Internal,OU=Accounts,DC=contoso,DC=local
- Import Script: Full path to pwdhash-import.ps1
- Export script: Full path to pwdhash-import.ps1
- Password Management Script: Full path to pwdhash-schema.ps1 [Mandatory]
Check "person"
Select all attributes
Configure your join rule as needed. I recommend using a unique attribute, such as objectSid or objectGUID. You might prefer an indexed attribute.
The only attribute needed nTHash. Import/export this attribute from/to the metaverse attribute created previously.
Disable password management
