Event ID - 8204

Event Id	8204
Source	Microsoft-Windows-IDMU-Psync
Description	Password propagation failed. Logon account disabled for user on the specified host. %ruser = %1 %rhost = %2
Event Information	According to Microsoft : Cause : This event is logged when password propagation failed. Resolution : Make sure that the UNIX-based user account is not disabled Password propagation failed. The account for user username on the specified host has been disabled. This error typically originates in the UNIX computing environment. Make sure that the user account has not been deleted on the UNIX-based host computer. If, after checking the UNIX environment, you find that the UNIX-based user account is not disabled, make sure that Password Synchronization has been configured in accordance with guidelines in Best Practices for Password Synchronization in the Password Synchronization Help, especially the following sections that describe how UNIX-based users should be identified to the Windows-based computer running Password Synchronization. Best Practices for Password Synchronization Configure Password Synchronization to provide the maximum protection for your users' passwords To maintain optimal security, do the following: Explicitly list the users whose passwords are to be synchronized To provide maximum control over which users can synchronize passwords, do not use the ALL keyword with the SYNC_USERS list in sso.conf on the UNIX host. Instead, you should explicitly list each user for whom password synchronization is allowed or blocked. On the Windows-based computer running Password Synchronization, create the PasswordPropAllow group and add the accounts of users whose passwords you want to synchronize. For more information, see ""Controlling password synchronization for user accounts."" Do not synchronize passwords for disabled UNIX accounts On some versions of UNIX, changing the password of a disabled user account activates that account. Consequently, if a user has a disabled account on a UNIX computer that is configured to synchronize passwords with a Windows-based computer, the user or an administrator can activate the UNIX account by changing the user's Windows password. To prevent this, use the PasswordPropDeny group to block synchronization for disabled UNIX accounts. Also, when an administrator disables a UNIX account, the administrator should use the SYNC_USERS entry in sso.conf to block password synchronization for the account. If a user is in the Active Directory Users and Computers PasswordPropDeny group and should not be, follow the steps in the procedure ""To control password synchronization for user accounts"" in this section. Controlling password synchronization for user accounts You can control which users' passwords are synchronized by creating two local user groups: PasswordPropAllow and PasswordPropDeny. (Use Active Directory Users and Computers to create the two groups.) In the PasswordPropAllow group, add the user names for which passwords should be synchronized. In the PasswordPropDeny group, add user names for which passwords should not be synchronized. Passwords are synchronized for users who are in PasswordPropAllow and are not in PasswordPropDeny. If PasswordPropAllow does not exist, the effect is the same as if it did exist with all user names in it. If PasswordPropDeny does not exist, the effect is the same as if it did exist with no user names in it. These rules apply to synchronization from Windows to UNIX and from UNIX to Windows. If a user's password cannot be synchronized from Windows to UNIX, it cannot be synchronized from UNIX to Windows. You can ensure that the passwords for certain users are never synchronized, even if synchronization is allowed by the Password Synchronization server. To ensure that a UNIX user account will never have its password synchronized with the Windows password, edit the sso.conf file to place the user name of the account, preceded by a minus sign (–), after SYNC_USERS=. For example, to ensure that the password of the root account is never synchronized with a Windows account by that name, make sure that the following line appears in sso.conf: SYNC_USERS=–root To control password synchronization for user accounts: Open Active Directory Users and Computers by clicking Start , pointing to Administrative Tools , and then clicking Active Directory Users and Computers . In the hierarchy pane of the Active Directory Users and Computers snap-in, select Users . In the results pane, double-click the group PasswordPropDeny . On the Members tab of the PasswordPropDeny Properties dialog box, add the names of users for whom passwords should not be synchronized. Remove the names of any users for whom passwords must be synchronized. Click OK . In the results pane, double-click the PasswordPropAllow group. On the Members tab of the PasswordPropAllow Properties dialog box, add the names of users for whom passwords should be synchronized. Remove the names of any users for whom passwords must not be synchronized. Click OK to close the Properties dialog box when your additions are complete. Verify : Retry Windows to UNIX password synchronization for any failed user password change attempts to verify that Password Synchronization is operating normally. Password Synchronization is operating normally when password synchronization succeeds and is operating under warning conditions if synchronization fails for some passwords but succeeds for others. If password synchronization succeeds for some passwords but fails for others, Windows to UNIX Password Synchronization Configuration is likely fully operational, but there might be account- or computer-specific configuration problems preventing password changes from being synchronized on UNIX-based hosts.
Reference Links	Event ID 8204 from Microsoft-Windows-IDMU-Psync

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught