pwdconflicts
Use the pwdconflicts program to list accounts with passwords in conflict. You can then choose to automatically resolve these conflicts or force a randomization for the affected accounts.
The yes/no value in the Actionable column of the list output indicates whether you can submit a password conflict resolution attempt.
The value is "No" while a system is waiting for a password conflict to potentially resolve itself through replication, and then subsequently for automated resolution via idarch to fix that conflict directly.
If neither of these resolve the conflict, then it becomes actionable (value is "Yes") and can be acted on by an administrator to resolve the conflict manually. Non-forced randomization is never allowed as long as a conflict exists.
Usage
pwdconflicts.exe [-list | -randomize | -resolve] [-force][-save][-policyid <policy ID>] [-account <account ID>] [-batchsize <batch size>] [-sleeptime <sleep time>] [-wstnid <workstation ID>][-blank]
Argument | Description |
|---|---|
-account <account ID> | Only act on accounts with a specific ID. |
-batchsize <batch size> | The maximum amount of accounts to act on. The default is 5. |
-force | Allow resolution or randomization to proceed without further confirmation. Requires one of -randomize or -resolve. |
-list | List all accounts with passwords in conflict. |
-policyid <policy ID> | The managed system policy ID. When used in combination with -list, -randomize, or -resolve, only accounts in this policy will be acted on. |
-randomize | Force randomize accounts with passwords in conflict. Forced randomization will not occur if password randomization is disabled on the managed system policy to which the managed account is bound. |
-resolve | Attempt to resolve accounts with passwords in conflict automatically. |
-save | Save the list of conflicted accounts to the database. Requires one of -list, -randomize, or -resolve. |
-sleeptime <sleep time> | The duration (in milliseconds) to wait between batches. |
-wstnid <system ID> | Only act on accounts from this managed system. |
-blank | Completely delete the password tree of account specified. Requires both -wstnid and -account. WarningThis action will permanently clear the password history tree and cannot be recovered. |
Examples
To list all accounts with passwords in conflict and save them to the database, type:
pwdconflicts.exe -list -save
To automatically resolve conflicts for accounts of a specific managed system policy, type:
pwdconflicts.exe -resolve -policyid <policyID>
To automatically resolve conflicts for accounts with a specific ID, type:
pwdconflicts.exe -resolve -account <accountID>
To automatically resolve conflicts for all accounts on a specific system, type:
pwdconflicts.exe -resolve -wstnid <systemid>
To automatically resolve a conflict for a specific account on a specific system, type:
pwdconflicts.exe -resolve -wstnid <systemid> -account <accountID>
To force randomization for all accounts with passwords in conflict, type:
pwdconflicts.exe -randomize
To automatically resolve conflicts without further confirmation, type:
pwdconflicts.exe -resolve -force
To automatically resolve conflicts for a batch of 10 accounts, with subsequent batches worked on every minute, type:
pwdconflicts.exe -resolve -batchsize 10 -sleeptime 60000
To delete the password tree of a specific account on a specific system, type:
pwdconflicts.exe -blank -wstnid <systemid> -account <accountID>