The PowerShell script given below synchronizes the passwords of users between their user accounts in two domains. ADSelfService Plus, a self-service password management and single sign-on solution, synchronizes changes made to a domain user's password to their user accounts in other Active Directory domains and even their user accounts in enterprise applications such as Google Workspace (formerly G Suite) and Office 365. Here is a comparison between password synchronization between two AD domains using PowerShell and ADSelfService Plus:
In order to synchronize passwords across a user's account in multiple domains, the DS-Internals module needs to be installed
Install-Module -Name DSInternals Once you have installed the DS-Internals module, run the following script, create your credentials with this script:
$credential = Get-Credential; $credential | Export-CliXml -Path '<enter the path of an XML file here>'; Now, run the following script
$sourceDomainNetBIOS = '<primary domain>';
$sourceDomainFQDN = '<primary domain>.com';
$sourceDomainDN = 'DC=<primary domain>,DC=com';
$sourceDomainCredential = Import-CliXml -Path '<enter the file path of an xml file here>';
$targetDomainNetBIOS = '<secondary domain>';
$targetDomainFQDN = '<secondary domain>.com';
$targetDomainDN = 'DC=<secondary domain>,DC=com';
$targetDomainCredential = Import-CliXml -Path '<enter file path of an XML file here>';
$syncGroup = 'Some Group'; $hashes = Get-ADReplAccount -All -NamingContext $sourceDomainDN -Server $sourceDomainFQDN -Credential $sourceDomainCredential;
$users = Get-ADGroupMember $syncGroup -server $targetDomainFQDN -Credential $targetDomainCredential;
foreach ($user in $users)
{
$currentUserHash = $hashes | ? {$_.saMAccountName -eq $user.SamAccountName};
$NTHash = ([System.BitConverter]::ToString($currentUserHash.NTHash) -replace '-','').ToLower();
Set-SamAccountPasswordHash -SamAccountName $user.SamAccountName -Domain $targetDomainNetBIOS -NTHash $NTHash -Server $targetDomainFQDN -Credential
$targetDomainCredential; The Password Synchronization feature synchronizes the changes made to a domain user's password with their user accounts in other domains and enterprise applications.
For configuration:
Ensure the Active Directory module is installed and loaded by running the script below. This allows PowerShell to interact with AD.
Import-Module ActiveDirectoryFor password synchronization to work, ensure both domains trust each other. This establishes a trust relationship between domainA.com and another domain.
New-ADObject -Name "Trust" -Type container -Path "CN=System,DC=domainA,DC=com"Allow password changes to replicate between domains. This enables password replication between domainA.com and domainB.com.
Set-ADReplicationAttribute -Source "domainA.com" -Target "domainB.com" -Attribute "unicodePwd"Trigger an immediate password sync using the script below. This syncs only changed passwords instead of a full sync.
Start-ADSyncSyncCycle -PolicyType DeltaManually manually trigger password synchronization using the script below. This forces synchronization of changed passwords between domains.
Start-ADSyncSyncCycle -PolicyType DeltaCheck if password sync is enabled by running the script below. If an AD connector exists, sync is enabled.
Get-ADSyncConnector | Select-Object Name, TypeYes, but Azure AD Connect must be set up for cross-forest sync.
