Layer 7 Identity Management

Expand all | Collapse all

How To Set Active Directory To Force Password Reset On PW CHange

Jump to Best Answer
  • 1.  How To Set Active Directory To Force Password Reset On PW CHange

    Posted 01-24-2013 11:25 AM
    The out of the box password reset has a force password to change option. I have also built my own password reset tasks that I flag the password to change at next login. However, this flag does not get sent down to AD.

    I am trying to figure out how to flag that. The use case is for Service Desk password resets on behalf of the user the user must change the password to their own after the fact. If works find if you use IdM but 99% will not for logging in they will use their AD Account from their laptop Windows logon.

    I tried creating a PX to set the AD pwdLastSet which is working however the PX fires before the provisioning manager resets the password, so when that happens it overwrites pwdLastSet to the date time.

    How else can I get the AD endpoint to get flagged to Change PW At Next Logon?
    Would I set this in the Account Template on the endpoint config?


  • 2.  RE: How To Set Active Directory To Force Password Reset On PW CHange

    Posted 01-25-2013 05:07 PM
    Yes, AD Account template should do it. I've used it before.


  • 3.  RE: How To Set Active Directory To Force Password Reset On PW CHange
    Best Answer

    Posted 01-26-2013 11:07 PM
    But AD Template is invoked only with provisioning tasks. Not with reset password tasks.

    I think PX can work fine with the specific task or event. with modification of the attribute, or etautil command

    finally a Program Exit in the POST_CHANGE_ACCOUNT_PASSWORD can help too....


  • 4.  RE: How To Set Active Directory To Force Password Reset On PW CHange

    Posted 01-28-2013 09:47 AM
    I will go try program exists. I got a PX running on the Completion of my reset user task but I think the PX fires, sets the pwdLastSet to 0 before the Provisioning Manager resets the password which updates it to the date and clears out the flag.

    Chicken and egg thing going on.


    One other question, in the Endpoint Config, Configuration Tab there's a check box called User much change password after password reset, however when I select it, submit it and go back in it's unchecked. What does that do or supposed to do?


  • 5.  RE: How To Set Active Directory To Force Password Reset On PW CHange

    Posted 01-28-2013 11:01 AM
    In the Provisioning Manager I set the User Must Change password after password reset and that appeared to be the resolution.

    However, looking at the Endpoint through IdM the check box never sticks or shows it's checked even though it's set when you look at the endpoint through Provisioning Manager. Bug?


  • 6.  RE: How To Set Active Directory To Force Password Reset On PW CHange

    Posted 01-28-2013 12:28 PM
    maybe a bug, in my configuration it persist checked!


  • 7.  RE: How To Set Active Directory To Force Password Reset On PW CHange

    Posted 04-04-2013 08:00 AM
    Hi Drew,

    Do you have additional feedback on this issue?

    I can confirm that the check box does not persist in the user console on my systems also (both on 12.5 SP 13 and 12.5 SP 14).

    Moreover, it resets the setting that was visible in Provisioning Manager (checkbox gets unchecked).

    Even if I make the setting only through PM and check it gets saved in the endpoint's configuration, when I make a basic test (Reset USer Password from UI), the password gets propagated but there is no request to have it changed.

    Did it work for you, did you make additional changes?


    Thank you for your time and feedback.


    Regards,

    Razvan



    *** EDIT 12:31 PM, Thursday, April 4, 2013 (GMT) ***

    I have made a test to reset the password not from the user console but directly from PM for the global user with account sync on action. This made the account ask for password change upon logon.

    What could be the difference between UI and PM on submitting these changes?


  • 8.  RE: How To Set Active Directory To Force Password Reset On PW CHange

    Posted 04-04-2013 03:52 PM
    In my PM for the targeted endpoint -> Properties -> Configuration Tab I have checked 'User must change password after password reset'. This shows in the UI as checked as well when I look at the endpoint.

    I used the policies that were posted earlier, modified them for my endpoint names, and now my Password Resets that Service Desk does are flagged as one time use in AD. I also have a policy in place that will check the account to see if it's locked in AD and unlock it at the same time since AD doesn't automatically unlock an account on a password reset.


  • 9.  RE: How To Set Active Directory To Force Password Reset On PW CHange

    Posted 04-10-2013 04:10 AM
    Hi,

    For me that option did not work (IM 12.5 SP 13 and SP 14)

    Instead I have implemented PX to set the pwdLastSet attribute of the AD account to "false" (will be converted to 0x0 by connector).

    Out of 7 tests though, 2 didn't get that attribute set to 0, probably because of timing reasons ... Anyway, better than nothing.


    /Razvan


  • 10.  RE: How To Set Active Directory To Force Password Reset On PW CHange

    Posted 11 days ago
    Anon Anon/Razvan

    Hi,

    when I set the pwdLastSet attribute to "false", which in IDM it is listed as "User Must Change password at next Logon (pwdLastSet)", what happens is that it does not force me to change password at the next logon
    well it makes sense since you are telling the IDM that the value for that is false it means not to enforce it

    in what configuration does it have the behaviour that your described where it gets converted to 0x0 ?