Show Managed Password is not disclosing the correct password

Problem

On SMP 7.1 the Show Managed Password option on a User discloses a password that does not let the help desk log in. This issue is caused by SMP not processing the Arellia Local Security event which reports that the password has been changed.

Solution

Importing the attached report will show which User accounts have had their passwords changed by Arellia but have not yet had the event processed by SMP. Sometimes an IIS App Pool recycle will fix the issue, but other times a task may have to be sent to that computer or you may wait until the password randomization policy executes again.

Alternatively, this report can then be fed into an automation policy to randomize those passwords by following the steps outlined in Automatically randomize passwords for disclosed user accounts and changing the report to the report attached to this KB.

Additional information

A tell-tale sign that this is happening in your environment is by opening up the Resource Manger on a User account and comparing certain timestamps. The following steps will identify which timestamps to compare:

1. After opening up the Resource Manager on a User account, navigate to Event Classes > Arellia > Local Security > User Account Password Change
2. Note the Changed timestamp (this event class shows events processed by SMP)
3. Then navigate to Event Classes > Arellia > Local Security > User Account Password Change Request
4. Note the Requested timestamp (this event class shows events processed by Arellia)
5. If the Requested timestamp is newer than the Changed timestamp then the password disclosed by Show Managed Password is most likely not correct.
6. To disclose the actual current password that has been set for that user, Right click the most recent event under User Account Password Change Request and click Show Historical Password, this will show the password most recently set for that account.