Friday, 5 July 2013

Force a full password synchronization using the new DirSync tool with password sync feature

In order to force a full password sync in the new Windows Azure Active Directory Synchronization tool for Office 365, you need to do the following:


  1. Open Registry Editor
  2. Browse to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > MSOLCoExistence > PasswordSync.
  3. Change the "FullSyncRequired" registery key value to 1.
  4. Go to Services
  5. Restart the "Forefront Identity Manager Synchronization Service" - this will also restart the Windows Azure Active Directory Sync Service.
  6. Once done, you will notice logs with Event IDs 656 which are the "Password Change Request" events  and 657 which are the "Password Change Result" events.


8 comments:

  1. Thanks for that.

    What is the situation now with password in csv file used in exchange staged migration.
    should this column now be left out as when I tested it set the passwords listed in the csv file to the o365 account and I had to do the full password sync to get the lan password set again in o365

    ReplyDelete
  2. Thank you for these instructions. Helped me out with a 35k user deployment came up with that the password never synced when the accounts was synced up.

    ReplyDelete
  3. Yep - current builds (February 2014) of the tool require you to set this registry value prior to performing a full dirsync. If you don't set this registry value the passwords apparently do not come over properly. I had an issue where on premises user accounts were replicated to O365, but 'older' accounts couldn't logon. Newly created accounts would logon just fine. In troubleshooting the issue, I had deactivated AD account synchronization and then re-enabled/reconfigured it from scratch, and performed a FULL sync but users were still not able to logon. I called Microsoft support and they had me create this registry key, perform a full dirsync, and things immediately started working.

    ReplyDelete
  4. Hi Amin, we are experiencing some inconsistencies between our on-prem and cloud security groups. What is the impact if we do a full dir sync as described above? Is there anything to watch out for? Are groups deleted from the cloud and resynchronised? We are still using the 'Microsoft Online Directory Sync' version and not Azure by the way.

    ReplyDelete
    Replies
    1. Hi Carl, this is to force a full password sync. If I remember correctly, you have SSO deployed so no need for this. Can you give some examples of the inconsistencies between on-prem and O365?

      Delete
    2. We have user accounts as group members on the cloud, but they have been deleted from the local AD months ago. This causes NDRs when sending to the group.

      The above is for passwords, but I seem to remember a registry key for a full directory sync.

      Delete
    3. This looks like the process, although I'm interested in the impact this would have.

      http://exitcodezero.wordpress.com/2013/04/29/how-to-force-dirsync-to-perform-full-synchronization/

      Delete
  5. This comment has been removed by the author.

    ReplyDelete