I recently received a query from a customer asking if there was a way to determine when last a user’s password was synchronized. Upon receiving further details, it became clear that they suspected an issue with password synchronization for a specific user. There is an easy way to verify password synchronization for a single user.
Synchronization Service Manager
The Synchronization Service application can be easily accessed from the Start Menu:
Once opened, select the Connectors option
We want to search for the specific user in the Active Directory Domain Services connector. The name should match your Active Directory Domain name. Right-click on this connector and select Search Connector Space:
I can now search for the user using the Distinguished Name (DN) for the user. Verify that the required user is listed, then select Properties:
On the properties page of the connector object, which is the specific user we were searching, select Log:
The Object Log will show the last password synchronizations performed for the specific user. The log will only contain data for the last 7 days, thus you won’t find any data if the password for the users was changed more than 7 days ago.
If you see any failures for the user then you would need to revert back to the Windows Event log or use the troubleshooting guide. The link is provided at the end of this post.
Getting the DN of the user
You can easily obtain the DN of the specific user if you know the username, with Windows PowerShell. The Active Directory module is required.
The PowerShell command should look as follows:
Get-ADUser username | Select-Object distinguishedName
Troubleshoot Password Hash Sync
There are numerous troubleshooting tasks that can be completed when experiencing issues. I am not covering these tasks in this post. You can review the Microsoft Docs article which I’ve used as reference for the detailed troubleshooting steps: