How to set the pwdLastSet attribute in Active Directory using Identity Manager Policy Builder

(Last modified: 24Aug2005)

This document (10098686) is provided subject to the disclaimer at the end of this document.

goal

How to force users in Active Directory to be prompted to change their password when they first login, using Nsure Identity Manager 2.01

fact

Nsure Identity Manager 2.01

Active Directory Driver

fix

If the AD user has "password never expires" set, you will see no result of changing pwdLastSet to 0. These
AD attributes cancel each other, so you can't force password change while "password never expires" is set.

Try using the below XML for your policy. Place the policy in the subscriber OTP.
**************
<?xml version="1.0" encoding="UTF-8"?><policy>
<rule>
<description>Force Password change on first login with AD user</description>
<conditions>
   <and>
    <if-class-name op="equal">User</if-class-name>
    <if-operation op="equal">add</if-operation>
   </and>
</conditions>
<actions>
   <do-set-dest-attr-value name="pwdLastSet" when="after">
    <arg-value type="string">
     <token-text xml:space="preserve">0</token-text>
    </arg-value>
   </do-set-dest-attr-value>
</actions>
</rule>
</policy>
**************

document

Document Title:	How to set the pwdLastSet attribute in Active Directory using Identity Manager Policy Builder
Document ID:	10098686
Solution ID:	NOVL103197
Creation Date:	24Aug2005
Modified Date:	24Aug2005
Novell Product Class:	DirXML

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.