Active Directory Password Synch Agent--can it determine whether a user is an admin?


Article ID: 107005


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal


We have the Identity Manager suite connected to Active Directory (currently the "master"). We have noticed that the password agent sitting on the domain controllers does not differentiate between a "password reset" (completed by an "admin" on behalf of someone) and a "password change" (completed by a user for themselves). Is there a setting that will allow the password agent to differentiate between these? One of our password rules that we enforce for password changes has to do with password history (can't use the same password for x number of password changes). However, we don't enforce that for a password reset since as admins will typically use a common password when they reset someone's password and enforce a password change on first login.


Component: IDMGR


No, there is no way the password agent can distinguish whether a user is an admin or other user. The agent is just a windows password filter that passes along the request.