hi,

We have the following setup:

PCNS is deployed in Forest B and C, which is configured to sync passwords for Staff (Staff Group in Forest C) and Students (Student Group in Forest B) to their respective accounts in Forest A. This is working fine.

A new requirement is to have some of the Staff Forest C accounts created in Forest B. So here are some questions.

1. Could we now setup PCNS in Forest C to also sync passwords to Forest B (for some of these new Staff accounts)?
2. When Forest C Staff member changes their password (in Forest C), this password will be synced to their account in Forest B and Forest A; however, since PCNS in Forest B only monitors the Student AD Group (in order to synchronize to Forest A), any password changes to Staff members (not part of the Student AD Group) will be ignored. Is this correct?
3. What if PCNS inclusion group was "Domain Users" in Forest B. When Forest C Staff member changes their password (in Forest C), this password will be synced to their account in Forest B and Forest A - would PCNS in Forest B be triggered for Staff again and password sync again to Forest A?

Thank you,

sk

• Edited by Shim Kwan Thursday, April 24, 2014 3:58 AM

Hi Shim,

1. You can, but be aware of the loops - if you won't create any loop you can do this. (I was working at University during my studies - so I would be in Staff and Students Groups - my account could generate a loop in such configuration).

2. Yes, if this account would not be in Inclusion group, password change would be noticed but would not be processed by PCNS.

3. Yes, it would be re-triggered.

thank you Dominik