We are using AD authentication module. We have observed that a password reset on a UserStore user that is NOT correlated to AD will change an AD user password if the login matches.
Why will AD authentication module provision changes and not just authenticate?
Release : 14.4
Component : Identity Manager
AD Auth module relies on users to have an account on AD, so they could be authenticated.
As per the documentation, If you configure the Active Directory authentication model, user password sets from the Forgotten Password or Reset Password tasks automatically propagate to both the Identity Manager. User Store and the Active Directory server. Password status changes are detected during authentication.
It also mentioned how Identity Manager searches for the user name entered in the login screen in the Identity Manager User Console by the attribute that is defined in the Management Console.
As per design, the search is based on the authentication attribute which matches the nominated IM attribute. The authentication attempt is done directly against Active Directory, without any attempt to verify account association in the Provisioning layer. This means that the password change will happen directly on the account level.
If this behavior is not the desired one, we may choose to Disable AD Password Propagation by configuring DisableADPasswordPropagation property - "The property prevents Identity Manager from changing the password and having it propagated to the Active Directory Auth directory" - so only password validation (rather than change) is being done. Of course, this is a global property which will apply to all users.
This is configured by navigating to Environments,<Environment_Name>,Advanced Settings, Miscellaneous.