Symantec IGA

  • Private Community

  • 1.  How to set Active Directory to force password change on first logon

    Posted Feb 08, 2018 09:19 AM

    Hi,

     

    Is it possible to configure IDM to reliably force all new users to change password on first loggon when they logging into AD?

     

    A password change request for existing users (reset user password in IDM) propagates correctly to AD endpoint, but password change request when creating user (checked box Password Must Change) works just for users who log into IDM.

     

    Regards,

    Dejan



  • 2.  Re: How to set Active Directory to force password change on first logon

    Broadcom Employee
    Posted Feb 08, 2018 10:53 AM

    Hi Dejan, 

     

    Just to be sure I get this straight. You are saying that when you create an Active Directory endpoint account from Identity Manager the user is not forced to change password on first logon. Is my understanding correct? if yes, does your Active Directory account template have User Must Change Password at Next Logon checked? By default it is unchecked  (in my policy below it is unchecked but you should check it if the above behaviour is what you want to achieve)

     

     

    KR
    Russi



  • 3.  Re: How to set Active Directory to force password change on first logon

    Posted Feb 08, 2018 11:40 AM

    Hi Russi,

     

    Yes, I know this way to reliably propagate the password change at next logon option to AD. However, this way is reliable only in case when user has just one account template or when all assigned account templates have this option checked.

     

    The problem is that, when creating users in IDM they are assigned multiple provisioning roles that contain different account templates. If only one account template contains this option checked, it is not surely that the change will be propagated to AD in the desired way (User Must Change Password at Next Logon checked).

     

    The client does not want to check User Must Change Password at Next Logon to all account templates which are assigned to the user. There is a fear that if later some of these account templates are assigned to other user, the user will have to change the password on AD at next logon.

     

    Account templates are not assigned to users only on creating event. They could be subsequently assigned or removed during modification user event.

     

    Regards,

    Dejan



  • 4.  Re: How to set Active Directory to force password change on first logon
    Best Answer

    Broadcom Employee
    Posted Feb 08, 2018 12:02 PM

    Hi Dejan

    User Must Change Password at Next Logon is not a capability attribute and this means that it will not be propagated to already existing AD accounts even when the account template is assigned to an existing user account for the first time.

     

    Regardless, if your customer does not like the option of using account templates to set this value you can use policy xpress policies that let you set password to expired after creating an AD account.

    KR

    Russi



  • 5.  Re: How to set Active Directory to force password change on first logon

    Posted Feb 08, 2018 12:10 PM

    Thank you Russi.

     

    Kind Regards,

    Dejan