Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know : Part I

If you wish to synchronize user’s password from Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) then you must install  Microsoft Active Directory Password Synchronization connector

This post covers things you must know regarding Microsoft Active Directory Password Synchronization

  • For Connector basics : ResourcesReconciliation, and Provisioning click here
  • For more information on type of connectors Java vs .NET (dot net) click here
  • For OIM connectors for Microsoft (Active DirectoryExchange, andWindows) click here
  • For OIM-OID connector architecture click here
  • For OIM-Oracle eBusiness Suite connector click here
  • For latest version of MS-AD password Sync and patch click here
Things you must know for Microsoft Active Directory Password Synchronization connector
  1. For Microsoft Active Directory Password Synchronization connector , Microsoft Active Directory User Management (UM) connector is pre-requisite. (You must first install Microsoft Active Directory User Management connector)
  2. Microsoft Active Directory User Management connector’s latest version (as of Sep 2012) is where as Microsoft Active Directory Password Synchronization connector’s latest version (as of Sep 2012) is
  3. You can configure OIM 11g with Microsoft Active Directory User Management (MS-UM) and  Microsoft Active Directory Password Synchronization
  4. Microsoft Active Directory Password Synchronization connector must be installed on Windows Active Directory Domain Controller machine
  5. If AD domain controller is running on multiple machines (for high availability/resilience) then you must install password synchronization connector on each domain controller machine
  6. MS-AD Password Synchronization Connector configuration is stored in registry HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync
  7. For Active Directory related configuration : HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ ADConfig

  8. ADPersistentStore is OU in Active Directory that will store data for users whose password can’t be synced from AD to OIM for various reasons (OIM not available, user not available in OIM etc).
  9. Change value of Log from N to Y , if you wish to enable logging in password synchronization (by default logging is disabled)
  10. LogPath represents directory in which logs are enabled (to enable logging set value of field Log to Y )
  11. For OIM related configuration: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ OIMConfig
  12. OIMhost is hostname where OIM managed server is running (For High Availability use load balancer name here)
  13. OIMPort is port on OIM managed server  is running (For High Availability use port number on which load balancer is configured)
  14. To disable Password Synchronization connector, set value of Disabled to 1 (0 means password synchronization is enabled)
  15. To enable logging for OIM related events set value of parameter OIMLog to Y , You will see file [TIME_STAMP]OIMMain.log
  16. AD will communicate to OIM server via SPML Web Service (WS) SOAP request over HTTP(S) like http(s)://OIMHost:OIMPort/spmlws/OIMProvisioning for OIM on WebLogic Server(Make sure to deploy SPML-DSML application on OIM Managed Server and application is in ACTIVE state)
  17. In [TIME_STAMP]OIMMain.logyou should see calls likeDebug [2/20/2002 12:54:42 AM] The SOAP start element is 
    Debug [2/20/2002 12:54:42 AM] <processRequest xmlns=””><sOAPElement>
    Debug [2/20/2002 12:54:42 AM] The SOAP end element is 
    Debug [2/20/2002 12:54:42 AM] </sOAPElement></processRequest>
    Debug [2/20/2002 12:54:42 AM] The path is 
    Debug [2/20/2002 12:54:42 AM] /spmlws/OIMProvisioning
    Debug [2/20/2002 4:54:53 PM] <env:Envelope xmlns:soapenc=”” xmlns:xsd=”” xmlns:env=”” xmlns:xsi=””><env:Header/><env:Body env:encodingStyle=””><m:processRequestResponse xmlns:m=””><setPasswordResponse xmlns=”urn:oasis:names:tc:SPML:2:0:password”</setPasswordResponse></m:processRequestResponse></env:Body></env:Envelope>
  18. For connector installer related configuration HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ Install


More on Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know in Part II


  • For latest version of MS-AD password Sync and patch click here

Share any tips/key point related to OIM’s Microsoft Active Directory Password  Synchronization by leaving comment

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

Mann says July 10, 2013

Can we achieve the same thing wihtout synch
password synch connector?

Like using OIM with OAM/ESSO/OID?


    Atul Kumar says July 10, 2013

    Password change from AD to OIM can be achieved only via password sync connector.

    Other option for password sync could be AD -> OID -> OIM (where password sync from AD to OID using AD-OID integration and then from OID to OIM using LDAPSync) – This will be less preferred route .

    Password Sync is better way as this is immediate , why don’t you want to use password sync ?

Mann says July 11, 2013

Atul Thanks for your reply.
It really helps as always 

Actually our Active Directory team is not happy with internal architecture of ‘password synch connector’. During password change it put internal lock which is not considered good here.

One last suggestion.
I was thinking in below direction but do not have experience on any other product other than OIM.
Like I integrate anyone componenet of eSSO with AD so that esSSO password and AD password get in synch. Then integrating OIM with eSSO.
Process might be password from AD >> eSSO>>OIM.

Kindly ignore my ignorance and suggest.
Thanks Again!

Don says July 17, 2013


How about the other way around? OIM to AD sync. Our set up is as follows.

Our college maintains an Oracle ID for every past, current of course future students, faculty, staff, etc.

Our department is currently managing authentication to our department lab systems in AD. This involves importing users each session into AD and setting a temp passwords with a require password change first log in.

This works great except the user accounts are based on the college’s eID. Meaning the samaccountname is the same as the name in the college’s ID management system.

This actually causes a lot of confusion since everyone typically chooses two different passwords for the same user name.

So I was wondering if it is possible to set up a one way password sync from the Oracle IDM to AD.

Seeing as our department only has a small subset of the overall users this makes even more sense to me.

This is how I am hoping it would work. I get registration data for our department. I import new users based on their eID, set a default password for each new user, set user account control not to require password change, never expire. Then behind the scenes the through the connector server on the DC each users password is updated with the password stored in OIM.

That way users can authenticate to our lab systems using the same password they use for everything else throughout the college.

I have seen many examples of syncing like you initially show but none so far the way I am hoping to get things to work.

Is this possible?



    Atul Kumar says July 17, 2013

    @ Don,
    From your comment it is not clear which product with in IDM stack do you use to sync data from Oracle to AD. There are two things I can think of OID & OIM and both support password sync from OID/OIM to AD .

    Tell me which Oracle Product you use for authentication (where username/password is store) so I can tell you how to sync password from that source to AD or vice versa.

Don says July 17, 2013


Sorry for the delayed response. I was waiting to hear back what product we are running from our service center. I though we had moved up to Oracle but we still are currently on Sun Identity manager 5.2 patch 4.


praveen says August 26, 2013

Can any one help me in installing AD PASSWORD Sync for 11gR2.

praveen says September 17, 2013

Thanks Atul its working fine…

chinna says September 19, 2013

What about part 2???

pranav says October 10, 2013

I’m looking for part 2 as well. Do you have a link for it? I can’t find it when i do a web search.


anonymous says October 10, 2013

What type of privileges/role should the OIM service account have to allow password change? Can it be part of the Administrators?

    Atul Kumar says October 10, 2013

    To add/delete account in AD. Yes it can be part of Administrators (but neeed to be – Just create/delete/modify)

» Help Me : Microsoft Active Directory Password Sync version and latest patch for Oracle Identity Manager Online Apps DBA: One Stop Shop for Apps DBA’s says October 31, 2013

[…] Microsoft Windows, Microsoft Exchange, and Password Synchronization), I also posted about  Password Synchronization for Active Directory that must be installed on all Microsoft Active Directory Domain Controllers, and is used to sync […]

Ravi says November 5, 2013


Can you please suggest how to configure Password Sync connector on a clustered environment, we have more then 2 OIM servers configured. Can we configure OHS server for Password Sycn.

Kindly suggest or provide any link to understand the configuration before implementing it.

    Atul Kumar says November 5, 2013

    @ Ravi,
    If you have more than one OIM managed server then either configure OHS server (mod_wl_ohs) or load balancer in front of OIM managed servers and ensure that you can access


    During password sync connector install on domain controllers (you must install PWD sync on all DCs) when prompted for OIM Host and Port, use OHS or LBR listen host and list port number

    Rest all is same as single node OIM password sync

anonymous says January 6, 2014

Could you please provide instructions to use SSL for password sync where OIM is in a clustered environment front ended by a LB?

mathmut says March 27, 2014

Hi Atul,

We have an environment with OIM-AD pass sync installed on it and working fine. Users are allowed to change their passwords from both OIM and AD. But we sometimes get an error in OIM logs like “Error occurred while setting user password.” and when we check AD pass sync logs we saw that error is about password history. I have an opinion but not sure. When we change password from OIM we send it to AD by change user password task and when AD password is changed OIM-AD pass sync catches the process and sends new password back to OIM and this time OIM rejects the newly changed password with error “IAM-3030006:The following password policy rules were not met:Password must not be one of 4 previous passwords.”. Is there any solution to ignore this error which is actually not an error ?

    Atul Kumar says March 27, 2014

    @ mathmut,
    Change password policy in OIM that it allows previous passwords .


    Atul Kumar
    Contact Us for Consulting Services

mathmut says March 27, 2014


Thanks but users are allowed to change passwords from both OIM and AD. If we allow previous passwords from OIM then we cannot control password history if user changes password from OIM self service.

Nirav says April 1, 2014

Hi atul,

I am using OIM 9i and am using custom built connector for AD and not the OOTB from oracle.But can i use the AD password sync connector provided by oracle along with my custom AD connector?

As i saw a note by you that MIcrosoft AD connector is a pre-requisite for AD passwrd sync connctor.

    Atul Kumar says April 1, 2014

    Nirav, I don’t see any problem with that as long as users are synced between AD and OiM. I am sending you message directly on your mail or contact me via contact us.

    Are you hitting any issue with password sync ?

Nirav says April 1, 2014

hi Atul,

I have mailed u ..
Yes user password is not getting synced.
“Unable to sync OIM user password.Run configparameter.exe is the status when i view in the event logs.


mathmut says June 20, 2014

Hi Atul,

oim ad password sync logs are enabled for our system. But it causes a problem about disk space. Is there a log appender config for this or do we have to disable logging?


Jatin says September 17, 2014

Hi Atul,

As far as I have understood the requirement of AD Password Sync Connector, it is to sync the password changes from AD to OIM.

But in my environment when i change the password of a user account in AD, it immediately changes the password of the OIM user.

There is no Password Sync installed on the AD as far as i know. Even in the registry the folders that you showed in the screenshots are not present.

Have i not understood the purpose of the connector or is there something else i need to check in AD to make sure that the password sync connector is not installed?

Salman Hamid says November 25, 2014

Hi Atul,

How can we sync passwords from AD to OIM for all existing users in AD. So they can access the self service portal using their AD credentials.

Best regards,

Ashwin says August 28, 2015

Hi Atul,

We imported the AD certificate recently in OIM and connected to AD via 636 port and we are not able to sync the users(data) from AD to OIM now both through 636 and 389 port but we are able to reset the password through 636. Can you tell me y the data is not syncing.

Recently AD has been migrated to 2008. OIm version is 9.1.0

    Atul Kumar says September 1, 2015

    In what Mode AD is configured ? Trust Source or something else

    For trusted source check scheduled job to pull users in running and there are no errors . Check OIM server log file to see sync is not happening . Create a user in OIM, assign AD account to this resource and check OIM logs .

newToOim says October 2, 2015


I am facing the same problem as Mathmut where a password change in AD gets pushed back into OIM and creates a cycle. Password can be changed through both OIM and AD.

Anyone has any pointers on how to solve that problem?


Brian says April 21, 2016

Hi Everyone,

Can someone please provide suggestions on how to sync oracle E-Business Suite password with active directory? Thanks

Add Your Reply