You can control which users' passwords are synchronized by creating two local user groups: PasswordPropAllow and PasswordPropDeny. (Use the Windows User Manager to create these groups.)
In the PasswordPropAllow group, add the user names for which passwords should be synchronized. In the PasswordPropDeny group, add the user names for which passwords should not be synchronized.
Passwords are synchronized for users who are in PasswordPropAllow and are not in PasswordPropDeny.
If PasswordPropAllow does not exist, the effect is the same as if it did exist with all user names in it. If PasswordPropDeny does not exist, the effect is the same as if it did exist with no user names in it.
These rules apply to synchronization from Windows to UNIX and from UNIX to Windows. If a user's password cannot be synchronized from Windows to UNIX, it cannot be synchronized from UNIX to Windows.
The UNIX administrator can ensure that the passwords for certain users are never synchronized, even if synchronization is allowed by the Password Synchronization server. To ensure that a UNIX user account will never have its password synchronized with the Windows password, edit the sso.conf file to place the user name of the account, preceded by a minus sign (–), after SYNC_USERS=. For example, to ensure that the password of the root account is never synchronized with a Windows account by that name, make sure that the following line appears in sso.conf:
SYNC_USERS=–root