Posted: 13 Apr 2005

Here are two questions and two responses from Forum experts on the subject of Universal Password management.

Question 1: How Do I Assign a Password Policy to the Tree?

In the NMAS documentation I read: "When you enable Universal Password on a container, it is enabled on all existing subcontainers as well. If you enable Universal Password at the Tree level, all subcontainers you create after enabling Universal Password will be enabled for Universal Password. However, if you enable Universal Password on a container below the Tree level, such as, on an Organization (O) or an Organizational Unit (OU), and then create a new subcontainer, you must enable Universal Password on that subcontainer. It is not automatically enabled."

What I cannot get right in iManager, however, is to assign my password policy (with Universal Password enabled) to the tree. I can only assign it to Users, Organizations, Organizational Units, and Login Policy objects. We have a client with a lot of containers, and I don't want them to have to assign the password policy to each new container when it is created.

Answer, Forum Expert 1

The solution to this is quite simple.

• If you want to assign it on a tree wide basis, assign it to the Login Policy object.
• If you set it on a container that is not partitioned, then the policy will only be in effect for the objects inside that container (no subcontainers).
• However, if the container IS partitioned then the assigned policy will flow down to the subcontainers inside that partition only.
• You can also set it on a user basis if needed.

Universal Password starts at the User, then parent container, partition root, then Login policy object searching for a policy. The lowest policy found is the policy that is applied. So a policy set on a user will override a container or tree-wide policy.

Question 2: How does UP Affect eDirectory?

If we enable Universal Password in a test OU on the live tree, what changes occur in eDirectory? Are they easily reversible? In other words, if we switch UP off, will everything go back to normal?

I've read many articles and postings on slow logins and NMAS on the client etc., but we just want to enable CIFS on one OU and have UP sync NDS with simple passwords, so we don't have to manage simple passwords. This particular OU does not have any machines with Novell clients. Needless to say they cannot access the NW servers yet.

I have read the deployment guide but do not have a clear understanding of the changes I'll be making by enabling UP. Any comments are greatly appreciated.

Answer, Forum Expert 2

Enabling a Universal Password Policy on an OU (that is not partitioned) will apply to the users inside that container ONLY.

Enabling the Password Policy on the container does absolutely nothing to the users inside the container until they log in from an NCP client (Novell Client). Once they log in, and there is a policy in place, additional attributes are created on the user object. These attributes store the passwords, but they are hidden attributes, so you can't tell anything has happened. You can use DIAGPWD1.EXE to verify that the NDS, Simple and Universal Passwords are the same. You can find that utility on Novell's support website.

If Simple passwords aren't previously populated on the users before enabling UP, the users must log in from an NCP client to get their NDS password to sync to Simple. That should only be the case if you don't have a Simple password already assigned, and it's a one-time thing.

If you turn the password policy off (by taking the assignment off the OU) the users will revert back to using the NDS password, Simple password, etc. However, if they logged in while UP Policy was enabled, they will have the additional attributes (they won't hurt anything).