Password does not synchronize for admin account
Specops Password Sync by default will not synchronize password changes for privileged accounts. This default behavior is good security practice.
You may see the following message in the Windows Application event logs on domain controllers when attempting to sync admin account passwords:
Password will not be synchronized for user ‘username’ because the user is member of a protected group in Active Directory.
Enable Sync for Admin Accounts
To allow password synchronization for admin accounts you will need to manually add this registry setting on all Domain Controllers: Privileged accounts by definition have access to critical business data and systems. It is often desirable to ensure these privileged users maintain different complex passwords on each system. Making the below change should not be done without taking the security implications into consideration.
- From the Registry Editor, browse to HKLM\Software\Specopssoft\Specops Password Sync\ChangeNotifier.
- Right-click, select New, and click DWORD (32-bit) Value.
- In the value name field enter AllowSyncForAdministrators.
- In the value data field enter 1.
- Click OK.
Non-Admin Accounts Affected By This Setting
Specops Password Sync uses the adminCount attribute of the user account to decide if the user is an ‘admin’ account. This attribute is updated by Active Directory as part of the adminSDHolder process but may become stale if users are added to and then removed from protected admin accounts. Please see the following link for detailed steps to identify and remediate such user accounts: https://specopssoft.com/blog/troubleshooting-user-account-permissions-adminsdholder/