Pcnscfg: Password change notification service (PCNS) configuration utility
Manages the configuration settings that are stored in
Active Directory and used by the password change notification
service (PCNS). You must be a member of the Enterprise Admins group
or the Domain Admins group to use this utility.
If the service command is not specified, the following
default values are used for the parameters:
MaximumQueueLength—unlimited
MaximumQueueAge—259200 seconds (72 hours)
MaximumNotificationRetries—unlimited
RetryInterval—60 seconds
/L:MaximumQueueLength
Specifies the maximum number of password changes to store in
the queue. Must be an integer in the range from 0 to 4294967295. If
a range is specified and the queue becomes full, the oldest
password change requests are discarded first. Specify 0 for
unlimited. Note that if passwords cannot be delivered and
MaximumQueueLength is set to unlimited, the queue size increases
and consumes disk resources on the domain controller as
needed.
/A:MaximumQueueAge
Specifies the maximum time in seconds that an undelivered
password change can remain in the queue before being discarded.
Must be an integer in the range from 0 to 4294967295. Specify 0 for
unlimited. Note that if passwords cannot be delivered and
MaximumQueueAge is set to unlimited, the queue size increases and
consumes disk resources on the domain controller as needed.
/R:MaximumNotificationRetries
Specifies the maximum number of times that an attempt is made
to notify the target server of a password change. Must be an
integer in the range from 0 to 1000. Specify 0 for unlimited.
/I:RetryInterval
Specifies how often in seconds before a failed notification is
retried. Must be an integer in the range from 10 to 3600.
Example
To set the MaximumQueueLength and MaximumQueueAge to unlimited,
and limit the number of notification retries to 500 and the retry
interval to 15 seconds, type pcsncfg service /L:0 /A:0 /R:500
/I:15
The user-defined, friendly name of the target server. This name
becomes the value of the CN property of the object that is created
in Active Directory.
/A:Address
The fully qualified domain name (FQDN) or address of the target
server, for example, fab-dev-01.usergroup.fabrikam.com.
/S:SPN
Service principal name (SPN) of the target server running
Microsoft Identity Integration Server 2003 that was specified in the
setspn.exe command.
/FI:Group
Filter inclusion group name to use to permit passwords to be
forwarded. Inclusion group names enclosed in quotation marks are
saved with embedded spaces, for example "Password enabled
users". For more information about inclusion groups, see Password management.
Note
Inclusion groups and exclusion groups must be specified by
using the group name only, for example
/FI:PasswordInclusionGroup. The domain specified in the
/A: parameter will be used as the default domain.
/FE:Group
Filter exclusion group name to use to prevent passwords from
being forwarded.
/F:n
The user name format to be delivered to the target. The
specified may be either 1 or 3 (default).
Parameter
User name format
1
Fully qualified domain name (FQDN). For example, CN=MikeDan,
CN=users, DC=Fabrikam, DC=com
3
NT 4.0. For example, Fabrikam\MikeDan
/I:nn
Keep alive, or heartbeat, interval specified in seconds. This
sends a verification signal from PCNS to the Microsoft Identity Integration Server 2003 if no activity is detected within the specified
time range. Must be an integer in the range from 0 to 3600. Specify
0 to disable this parameter.
/WL:nn
Logs a warning level when the number of objects in the queue
reaches or exceeds nn. The default setting is 0,
which disables the warning level.
/WI:nn
The interval, in minutes, that the warning level is logged.
This parameter has no effect if the /WL: parameter is not
specified, or is set to 0. The default value for /WI:
is 30. To disable periodic notifications, set the value to
0. When the value is set to 0, notifications will
still be logged whenever the level threshold defined in /WL:
is crossed, either up or down.
/D:True or False
Disables the target server. Disabling the target server
discards any pending password changes in the queue and stops
queueing any new passwords for the target. True disables the
server, and False enables the server.
Examples
To add a new target, type pcnscfg ADDTARGET /N:miis-server-1
/A:miis-server-1.fabrikam.com /S:MIIS/miis-server-1.fabrikam.com
/FI:PasswordInclusionGroup /F:1 /I:600 /D:False /WI:60
The user-defined, friendly name of the target server. This name
becomes the value of the CN property of the object that is created
in Active Directory.
/A:Address
The fully qualified domain name (FQDN) or address of the target
server, for example, fab-dev-01.usergroup.fabrikam.com.
/S:SPN
Service principal name (SPN) of the target server running
Microsoft Identity Integration Server 2003 that was specified in the
setspn.exe command.
/FI:Group
Filter inclusion group name to use to permit passwords to be
forwarded. Inclusion group names enclosed in quotation marks are
saved with embedded spaces, for example "Password enabled
users". For more information about inclusion groups, see Password management.
Note
Inclusion groups and exclusion groups must be specified by
using the group name only, for example
/FI:PasswordInclusionGroup. The domain specified in the
/A: parameter will be used as the default domain.
/FE:Group
Filter exclusion group name to use to prevent passwords from
being forwarded. If the /FE: parameter is not specified, the
exclusion group specified in the current PCNS configuration for the
target will not be affected. If the /FE: parameter is
specified, but without a value, the exclusion group specified in
the current PCNS configuration for the target will be removed.
Pcnscfg.exe displays a warning when an exclusion group is
being removed.
/F:n
The user name format to be delivered to the target. The
specified may be either 1 or 3 (default).
Parameter
User name format
1
Fully qualified domain name (FQDN). For example, CN=MikeDan,
CN=users, DC=Fabrikam, DC=com
3
NT 4.0. For example, Fabrikam\MikeDan
/I:nn
Keep alive, or heartbeat, interval specified in seconds. This
sends a verification signal from PCNS to the Microsoft Identity Integration Server 2003 if no activity is detected within the specified
time range. Must be an integer in the range from 0 to 3600. Specify
0 to disable this parameter.
/WL:nn
Logs a warning level when the number of objects in the queue
reaches or exceeds nn. The default setting is 0,
which disables the warning level.
/WI:nn
The interval, in minutes, that the warning level is logged.
This parameter has no effect if the /WL: parameter is not
specified, or is set to 0. The default value for /WI:
is 30. To disable periodic notifications, set the value to
0. When the value is set to 0, notifications will
still be logged whenever the level threshold defined in /WL:
is crossed, either up or down.
/D:True or False
Disables the target server. Disabling the target server
discards any pending password changes in the queue and stops
queueing any new passwords for the target. True disables the
server, and False enables the server.
Examples
To modify the heartbeat interval for an existing target, type
pcnscfg MODIFYTARGET /N:miis-server-1 /I:1800
Filter inclusion group name to use to permit passwords to be
forwarded. Inclusion group names enclosed in quotation marks are
saved with embedded spaces, for example "Password enabled
users". For more information about inclusion groups, see Password management.
Note
Inclusion groups and exclusion groups must be specified by
using the group name only, for example
/FI:PasswordInclusionGroup. The domain specified in the
/A: parameter will be used as the default domain.
/FE:Group
Filter exclusion group name to use to prevent passwords from
being forwarded. If the /FE: parameter is not specified, the
exclusion group specified in the current PCNS configuration for the
target will not be affected. If the /FE: parameter is
specified, but without a value, the exclusion group specified in
the current PCNS configuration for the target will be removed.
Pcnscfg.exe displays a warning when an exclusion group is
being removed.
Examples
To specify a new inclusion group and remove the existing
exclusion group, type pcnscfg securetarget /N:miis-server-1
/FI:NewPasswordInclusionGroup /FE:
Use to delete, enable, or disable an existing target. When you
delete or disable a target, all pending password changes in the
queue are discarded, and in the case of disable, no further
password changes are added to the queue. A disabled target can be
enabled again with this command. A deleted target can only be
recreated by using the ADDTARGET command.
Syntax
pcnscfgdeletetarget/N:Name
pcnscfgdisabletarget/N:Name
pcnscfgenabletarget/N:Name
deletetarget—Use this command when you need to
completely flush the password queue and recreate the target.
disabletarget—Use this command when you need to
temporarily turn off synchronization to the target without
reconfiguring.
enabletarget—Use this command to restart a disabled
target.
Parameters
/N:Name
The user-defined, friendly name of the target server.
The account name to use when authenticating to the remote
server or domain.
/Password:password or *
The password to use when authenticating to the remote server or
domain. Specify * to be prompted for the password.
Examples
To delete a target remotely and be prompted for your password,
type pcnscfg deletetarget /N:miis-server-1 /Server:fabrikam.com
/User:Fabrikam\MikeDan /Password:*
Remarks
Pcnscfg.exe is located in the \Program Files\Microsoft
Password Change Notification folder on each domain controller
where the pcns.msi installation package is run.
The number of configured targets is limited to 50.
Changes to the PCNS configuration can affect passwords already
in the queue:
Changes to inclusion and exclusion groups applied to target
servers does not affect passwords already in the queue. Changes are
effective for any new password synchronization events.
Deleting or disabling a target server discards all passwords in
the queue, and no new passwords are stored in the queue for that
target.
The recommended method for purging all passwords from the queue
is to delete the target and then add it again as a new target with
the same name.
Registry settings
There are four logging levels for PCNS that are controlled by
adding the EventLogLevel (REG_DWORD) entry to the following
registry subkey:
If you are running PCNS on a computer with a slow boot cycle,
or through a Virtual PC connection, PCNS startup may timeout with
an error. The default timeout is 3 minutes (180 seconds), and can
be controlled by adding the ServiceStopWaitTime (REG_DWORD) entry
to the following registry subkey:
The value is measured in seconds and can range from 20 to 600. If
the value cannot be read, the default value of 180 will be used. If
the value is less than 20, the value will be set to 20, and if the
value is greater than 600, the value will be set to 600.
Formatting legend
Format
Meaning
Italic
Information that the user must supply
Bold
Elements that the user must type exactly as shown
Ellipsis (...)
Parameter that can be repeated several times in a command line
Between brackets ([])
Optional items
Between braces ({}); choices separated by pipe (|). Example: {even|odd}
Set of choices from which the user must choose only one
