Password policies are not working as expected


Article ID: 195567


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


A common scenario is to manage Active Directory passwords with CA Identity Manager. 


For example:

Account disabled after 3 successive incorrect passwords or Password expires if not changed


However, this does not appear to work.  IDM (CA Identity Manager) appears to be in a disabled state based on the IDM password policy but it is not reflecting in Active Directory. 


This is working as designed.


Release : 14.3 CP1



The Password Services tasks in IM are "audited" tasks and not an executed task. This means that changes will only happen against the IDM user. This prevents an already logged in user from locking out all their endpoint accounts.


Example: A worker is logged into their physical machine at work and tries to perform actions within IDM when they attempt to log in with 3 failed attempts and are locked out of IDM. If IDM did the sync the same individual would be locked out of all their endpoints including their physical machine (Active Directory). 

Additional Information

To overcome these difficulties, it is recommended that the password policies for IM and Active Directory (AD) are synch'd and that daily E&C (Explore and Correlate) tasks are executed to keep IM in sync with AD (AD acting as the authoritative source).  We also recommend the use of the PSA (Password Sync Agent) .