Problem:
The password is changed in AD for a user which already has the option “change password next login”. This password change is currently not synced to UCS.
With bug https://forge.univention.org/bugzilla/show_bug.cgi?id=51518 we introduced an mechanism to reduce the replication time by ignoring trivial changes in AD. Unfortunately this breaks the password synchronization in this particular corner case.
On bug https://forge.univention.org/bugzilla/show_bug.cgi?id=52192 we are trying to find a solution for this problem but until then the workaround can be used.
Workaround:
On the command line run the following commands:
ucr unset connector/ad/mapping/attributes/irrelevant
service univention-ad-connector restart
By unsetting this UCR variable the connector looses the ability to filter out trivial changes. This should be OK for normal sized environments (1000 accounts). But in bigger environments and especially if AD policies like “Display information about previous logons during user logon” are used, the performance of the AD Connector should be checked after making this change.
Back to standard behavior:
On the command line:
ucr set connector/ad/mapping/attributes/irrelevant?"uSNChanged,whenChanged,lastLogon,logonCount,badPwdCount,badPasswordTime,dSCorePropagationData,msDS-RevealedDSAs,msDS-FailedInteractiveLogonCount,msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon,msDS-LastFailedInteractiveLogonTime,msDS-LastSuccessfulInteractiveLogonTime"
service univention-ad-connector restart