We are running IDM and PSync version 14.4.0.0.581. This is a non-vApp, on-prem solution.

I had some questions regarding how to properly sync a user's password into PM when passwords are being synchronized across AD forests.

The transactions don't seem to get picked up by psync, so I had some questions as to the criteria that is needed for psync to intercept a password change and push it to the global provisioning user.

Requirements for the psynch agent can be found here:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/administrating/password-management/synchronizing-passwords-on-endpoints/password-synchronization-on-windows.html

Additional information:

Remember that each domain in the forest needs to be acquired as a separate AD endpoint to begin with. Also each domain controller needs the PSYNC agent installed and that PSYNC Agent's configuration file will reference the acquired AD Endpoint Name for that specific domain.

So when you perform a password change that will be handled by a specific domain controller and the PSYNC on that domain controller will send a request to the Provisioning Server for the AD Endpoint Name as configured in the PSYNC config file on that specific domain controller.

You need to make sure that if the AD Account TESTACCT that belongs to Domain TESTDOMAIN is having a password change then that change is being handled by a domain controller that is part of TESTDOMAIN where the PSYNC config file has the AD Endpoint TESTDOMAIN in it.

If for some reason the above password change for TESTACCT was handled by a domain controller that is part of OTHERDOMAIN where the PSYNC config file has the AD Endpoint OTHERDOMAIN in it then the request to the Provisioning Server would fail to find TESTACCOUNT as part of the AD Endpoint OTHERDOMAIN and the PSYNC would not work.