Microsoft Identity Integration Server 2003 graphic

Pcnscfg: Password change notification service (PCNS) configuration utility

Manages the configuration settings that are stored in Active Directory and used by the password change notification service (PCNS). You must be a member of the Enterprise Admins group or the Domain Admins group to use this utility.

To view the command syntax, click a command:

pcnscfg list

Displays the current PCNS configuration

Syntax

pcnscfg list

Parameters

The list command has no parameters.

Example

Sample output for the list command:

MaxQueueLength........: 0
MaxQueueAge...........: 0 seconds
MaxNotificationRetries: 0
RetryInterval.........: 90 seconds

Targets

Target Name...........: fab-dev-01
Target GUID...........: 515F9932-6332-4468-8DDA-975A74E2D337
Server FQDN or Address: fab-dev-01.usergroup.fabrikam.com
Service Principal Name: PCNSCLNT/fab-dev-01.usergroup.fabrikam.com
Authentication Service: Kerberos
Inclusion Group Name..: Fabrikam\Domain Users
Exclusion Group Name..:
Keep Alive Interval...: 15 seconds
User Name Format......: 1
Queue Warning Level...: 100
Queue Warning Interval: 30 minutes
Disabled..............: False

Total targets: 1

pcnscfg service

Configures the PCNS settings in Active Directory.

Note

Syntax

pcnscfg service [/L: MaximumQueueLength] [/A: MaximumQueueAge] [/R: MaximumNotificationRetries] [/I: RetryInterval]

Parameters

Note

/L: MaximumQueueLength
Specifies the maximum number of password changes to store in the queue. Must be an integer in the range from 0 to 4294967295. If a range is specified and the queue becomes full, the oldest password change requests are discarded first. Specify 0 for unlimited. Note that if passwords cannot be delivered and MaximumQueueLength is set to unlimited, the queue size increases and consumes disk resources on the domain controller as needed.
/A: MaximumQueueAge
Specifies the maximum time in seconds that an undelivered password change can remain in the queue before being discarded. Must be an integer in the range from 0 to 4294967295. Specify 0 for unlimited. Note that if passwords cannot be delivered and MaximumQueueAge is set to unlimited, the queue size increases and consumes disk resources on the domain controller as needed.
/R: MaximumNotificationRetries
Specifies the maximum number of times that an attempt is made to notify the target server of a password change. Must be an integer in the range from 0 to 1000. Specify 0 for unlimited.
/I: RetryInterval
Specifies how often in seconds before a failed notification is retried. Must be an integer in the range from 10 to 3600.

Example

To set the MaximumQueueLength and MaximumQueueAge to unlimited, and limit the number of notification retries to 500 and the retry interval to 15 seconds, type pcsncfg service /L:0 /A:0 /R:500 /I:15

pcnscfg addtarget

Creates a new target.

Syntax

pcnscfg ADDTARGET /N: Name /A: Address /S: SPN /FI: Group [/FE: [Group]] [/F: n] [/I: n] [/WL: nn] [/WI: nn] [/D: {True|False}]

Parameters

/N: Name
The user-defined, friendly name of the target server. This name becomes the value of the CN property of the object that is created in Active Directory.
/A: Address
The fully qualified domain name (FQDN) or address of the target server, for example, fab-dev-01.usergroup.fabrikam.com.
/S: SPN
Service principal name (SPN) of the target server running Microsoft Identity Integration Server 2003 that was specified in the setspn.exe command.
/FI: Group
Filter inclusion group name to use to permit passwords to be forwarded. Inclusion group names enclosed in quotation marks are saved with embedded spaces, for example "Password enabled users". For more information about inclusion groups, see Password management.

Note

  • Inclusion groups and exclusion groups must be specified by using the group name only, for example /FI:PasswordInclusionGroup. The domain specified in the /A: parameter will be used as the default domain.
/FE: Group
Filter exclusion group name to use to prevent passwords from being forwarded.
/F: n
The user name format to be delivered to the target. The specified may be either 1 or 3 (default).
Parameter User name format
1 Fully qualified domain name (FQDN). For example, CN=MikeDan, CN=users, DC=Fabrikam, DC=com
3 NT 4.0. For example, Fabrikam\MikeDan
/I: nn
Keep alive, or heartbeat, interval specified in seconds. This sends a verification signal from PCNS to the Microsoft Identity Integration Server 2003 if no activity is detected within the specified time range. Must be an integer in the range from 0 to 3600. Specify 0 to disable this parameter.
/WL: nn
Logs a warning level when the number of objects in the queue reaches or exceeds nn. The default setting is 0, which disables the warning level.
/WI: nn
The interval, in minutes, that the warning level is logged. This parameter has no effect if the /WL: parameter is not specified, or is set to 0. The default value for /WI: is 30. To disable periodic notifications, set the value to 0. When the value is set to 0, notifications will still be logged whenever the level threshold defined in /WL: is crossed, either up or down.
/D: True or False
Disables the target server. Disabling the target server discards any pending password changes in the queue and stops queueing any new passwords for the target. True disables the server, and False enables the server.

Examples

To add a new target, type pcnscfg ADDTARGET /N:miis-server-1 /A:miis-server-1.fabrikam.com /S:MIIS/miis-server-1.fabrikam.com /FI:PasswordInclusionGroup /F:1 /I:600 /D:False /WI:60

pcnscfg modifytarget

Modifies one or more settings for an existing target.

Syntax

pcnscfg MODIFYTARGET /N: Name [/A: Address] [/S: SPN] [/FI: Group] [/FE: [Group]] [/F: n] [/I: nn] [/WL: nn] [/WI: nn] [/D: {True|False}]

Parameters

/N: Name
The user-defined, friendly name of the target server. This name becomes the value of the CN property of the object that is created in Active Directory.
/A: Address
The fully qualified domain name (FQDN) or address of the target server, for example, fab-dev-01.usergroup.fabrikam.com.
/S: SPN
Service principal name (SPN) of the target server running Microsoft Identity Integration Server 2003 that was specified in the setspn.exe command.
/FI: Group
Filter inclusion group name to use to permit passwords to be forwarded. Inclusion group names enclosed in quotation marks are saved with embedded spaces, for example "Password enabled users". For more information about inclusion groups, see Password management.

Note

  • Inclusion groups and exclusion groups must be specified by using the group name only, for example /FI:PasswordInclusionGroup. The domain specified in the /A: parameter will be used as the default domain.
/FE: Group
Filter exclusion group name to use to prevent passwords from being forwarded. If the /FE: parameter is not specified, the exclusion group specified in the current PCNS configuration for the target will not be affected. If the /FE: parameter is specified, but without a value, the exclusion group specified in the current PCNS configuration for the target will be removed. Pcnscfg.exe displays a warning when an exclusion group is being removed.
/F: n
The user name format to be delivered to the target. The specified may be either 1 or 3 (default).
Parameter User name format
1 Fully qualified domain name (FQDN). For example, CN=MikeDan, CN=users, DC=Fabrikam, DC=com
3 NT 4.0. For example, Fabrikam\MikeDan
/I: nn
Keep alive, or heartbeat, interval specified in seconds. This sends a verification signal from PCNS to the Microsoft Identity Integration Server 2003 if no activity is detected within the specified time range. Must be an integer in the range from 0 to 3600. Specify 0 to disable this parameter.
/WL: nn
Logs a warning level when the number of objects in the queue reaches or exceeds nn. The default setting is 0, which disables the warning level.
/WI: nn
The interval, in minutes, that the warning level is logged. This parameter has no effect if the /WL: parameter is not specified, or is set to 0. The default value for /WI: is 30. To disable periodic notifications, set the value to 0. When the value is set to 0, notifications will still be logged whenever the level threshold defined in /WL: is crossed, either up or down.
/D: True or False
Disables the target server. Disabling the target server discards any pending password changes in the queue and stops queueing any new passwords for the target. True disables the server, and False enables the server.

Examples

To modify the heartbeat interval for an existing target, type pcnscfg MODIFYTARGET /N:miis-server-1 /I:1800

pcnscfg securetarget

Sets or modifies the inclusion and exclusion groups for the specified target server.

Syntax

pcnscfg securetarget /N: Name [/FI: Group] [/FE: [Group]]

Parameters

/N: Name
The unique name of the target server.
/FI: Group
Filter inclusion group name to use to permit passwords to be forwarded. Inclusion group names enclosed in quotation marks are saved with embedded spaces, for example "Password enabled users". For more information about inclusion groups, see Password management.

Note

  • Inclusion groups and exclusion groups must be specified by using the group name only, for example /FI:PasswordInclusionGroup. The domain specified in the /A: parameter will be used as the default domain.
/FE: Group
Filter exclusion group name to use to prevent passwords from being forwarded. If the /FE: parameter is not specified, the exclusion group specified in the current PCNS configuration for the target will not be affected. If the /FE: parameter is specified, but without a value, the exclusion group specified in the current PCNS configuration for the target will be removed. Pcnscfg.exe displays a warning when an exclusion group is being removed.

Examples

To specify a new inclusion group and remove the existing exclusion group, type pcnscfg securetarget /N:miis-server-1 /FI:NewPasswordInclusionGroup /FE:

pcnscfg deletetarget/enabletarget/disabletarget

Use to delete, enable, or disable an existing target. When you delete or disable a target, all pending password changes in the queue are discarded, and in the case of disable, no further password changes are added to the queue. A disabled target can be enabled again with this command. A deleted target can only be recreated by using the ADDTARGET command.

Syntax

pcnscfg deletetarget /N: Name

pcnscfg disabletarget /N: Name

pcnscfg enabletarget /N: Name

Parameters

/N: Name
The user-defined, friendly name of the target server.

Examples

pcnscfg deletetarget /N:miis-server-1

Remote operation

All commands for pcnscfg.exe may be run remotely.

Syntax

pcnscfg user specified command and parameters [/Server: Name] [/User: Name] [/Password: {password | *}]

Parameters

/Server: Name
The remote server or domain name.
/User: Name
The account name to use when authenticating to the remote server or domain.
/Password: password or *
The password to use when authenticating to the remote server or domain. Specify * to be prompted for the password.

Examples

To delete a target remotely and be prompted for your password, type pcnscfg deletetarget /N:miis-server-1 /Server:fabrikam.com /User:Fabrikam\MikeDan /Password:*

Remarks

Registry settings

Formatting legend

FormatMeaning
ItalicInformation that the user must supply
BoldElements that the user must type exactly as shown
Ellipsis (...)Parameter that can be repeated several times in a command line
Between brackets ([])Optional items
Between braces ({}); choices separated by pipe (|). Example: {even|odd}Set of choices from which the user must choose only one
Courier fontCode or program output

Related Topics

*

Password management

*

Using password synchronization


Объявления:

    Cannot connect to Mysql database...