Generally speaking, it looks like all password synchronization methods for Active Directory involve either custom code or obscure components. We consider custom code in security processes of Windows clients or servers not to be a good idea. The interfaces and limitations imposed by the Active Directory and Windows systems are not entirely clear as those systems are not sufficiently open. Therefore it is not easy to asses the effect of such components from an engineering perspective. It is also not clear whether such components will not void the warranties and/or support contract. Therefore we generally do not recommend this approach and this approach is not supported by Evolveum.
However, even though we do not recommend this solution, the solution may still be acceptable for some deployments. In such case there are two components that may be interesting:
- midpoint-password-agent-ad in Evolveum github repository: Active Directory agent that can send password updates to midPoint. This is a community contribution from 2014. It is an unmaintaned and unsupported code. There are reports that this code no longer works.
- midPointADPasswordAgent in Identicum github repository: This is prototype of usage of Active Directory password filter to capture password changes. This is not maintained or supported by Evolveum. However, some support may be available from the author (Identicum) or the community.
Instead of using Active Directory password synchronization we propose a change in business processes. Users should be lead to change their password by using midPoint user interface rather than relying on native Windows password management tools. This approach has several advantages: