Skip to main content

How to set Active Directory User Passwords

To set a password on a new user account Data Sync uses the DS-SetPassword attribute to clear the UAC ACCOUNTDISABLE flag from the account in Active Directory.

Set Password for New Users

To set a user password in Active Directory for new users you can simply map the column that contains your passwords to the DS-SetPassword field in the target.

Schema Mapping

info

DS- columns are Data Sync attribute columns that handle the addition of that field for each user. This means that Data Sync does the required lookups without you needing to.

By default, Data Sync will also set the status in Active Directory so that the user must update their password when they next logon.

If you do not want users to change the password on their next logon, then you will need to set OnCreateChangePasswordNextLogon property to False. To do this go to the connection property window below the columns for your AD connection and change the value for OnCreateChangePasswordNextLogon.

PasswordLastSet

info

Passwords cannot be updated for existing users with this method. You will need to use Project Automation to do this.

Update Password for Existing User

To update the password for existing users you will need to add a few lines of code to Project Automation Item Events.

Enable Project Automation

Project Automation allows you to run your own .NET C# code at certain points in the Data Sync process. To start using it you will need to first enable it within the project. To do this open the View menu and select Project Automation Window. Then click onto the Enable Project Automation link to open the code editor where we can enter the code as needed.

Enable Project Automation

Setting the Password from the Source Data

If you are getting the password value from your source data you need to map this column to the DS-SetPassword column from the target.

You also need to edit the schema properties, setting the Data Compare property Ignore to True, so that the password field does not always trigger an update event.

Schema Mapping & Properties

As defining a password for users will not be very secure you will want users to have to change their password when they next login, this has been set in the code below using the pwdLastSet property.

Your Project Automation code should look similar to:

public override void AfterUpdateItem(object sender, DataCompareItemInvariant item, object identity)
{
Trace.WriteLine("AfterUpdate->{0}", identity);

var values = item.ToAddItemDictionary(TargetMapping); //Gets column names from the target

using(var entry = DataSourceB.GetDirectoryEntry((string)identity))
{
var uac = (int)entry.Properties["userAccountControl"].Value;
uac = uac & ~0x2; //Unlocked

entry.Properties["userAccountControl"].Value = uac; //Set the UAC to unlocked
entry.Invoke("SetPassword", values["DS-SetPassword"]); //Set the password
entry.Properties["pwdLastSet"].Value = 0; //Set user must change password at next logon
entry.CommitChanges();
}
}

Hard-Coded Password

If you want to supply a hard-coded default password, then you do not need to add the password columns to the schema map and you can use code similar to the following:

public override void AfterUpdateItem(object sender, DataCompareItemInvariant item, object identity)
{
Trace.WriteLine("AfterUpdate->{0}", identity);

using(var entry = DataSourceB.GetDirectoryEntry((string)identity))
{
var uac = (int)entry.Properties["userAccountControl"].Value;
uac = uac & ~0x2; //Unlocked

entry.Properties["userAccountControl"].Value = uac; //Set the UAC to unlocked
entry.Invoke("SetPassword", "!password123"); //Set the default password
entry.Properties["pwdLastSet"].Value = 0; //Set user must change password at next logon
entry.CommitChanges();
}
}