Microsoft KB Archive/296680

= The User Accounts That Are Supposed to Be Excluded by the Password Synchronization Feature May Not Be Excluded =

Article ID: 296680

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows Services for UNIX 2.0 Standard Edition

-



This article was previously published under Q296680



SYMPTOMS
The user accounts that are supposed to be excluded by the Password Synchronization feature may not be excluded, and password changes to these accounts may occur unexpectedly.



CAUSE
This problem can occur if a UNIX administrator adds the &quot;SYNC_USERS=-root -pat&quot; line to the Sso.conf file so that all user passwords are synchronized, except for the &quot;root&quot; and &quot;pat&quot; user passwords. However, the exclude delimiter, the minus (-) symbol, is ignored (not recognized), which enables Password Synchronization to occur for the &quot;root&quot; and &quot;pat&quot; user passwords.



WORKAROUND
To work around this problem, use either of the following methods:  Explicitly list the users in the Sso.conf file by using the SYNC_USERS field. The plus (+) symbol delimiter is used to explicitly add a user, for example:

SYNC_USERS=+fred +leon +ralph

 Add the excluded users to a special group called &quot;PasswordPropDeny&quot; in either Microsoft Windows 2000 or Microsoft Windows NT. These users can be added by using Active Directory Users and Computers in a Windows 2000 domain or User Manager on a Windows NT 4.0 domain.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Keywords: kbenv kbprb KB296680

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.