none
Turn off "user must change password on first logon" in FIM 2010 Ad workflow

    Question

  • Hi All,

    I want to be able to turn off the need for a user to change password on first logon. I am sure I need to use the userAccountControl flag in initial flow, but I do not know what to set this to. Can anyone tell me how I can achieve this ?

    also is there another attribute I need to change for this to work normally ?

    Thanks in advance ,

    Rob


    Rob


    • Edited by MasterPrawn Monday, November 19, 2012 2:34 PM Better title
    Monday, November 19, 2012 2:34 PM

Answers

  • Unless you've marked a password never to expire, the pwdLastSet attribute controls this.  The only values you can write to pwdLastSet are 0 (which requires an immediate reset) and, if the current value is already 0, assigning -1 will set it to the current time, effectively delaying the user's next password reset as if they had just updated it.  It is not possible to write arbitrary values into pwdLastSet.

    If you really want non-expiring passwords--although this is not good security practice--refer here as a reference to userAccountControl's various bit flags: http://support.microsoft.com/kb/305144

    Monday, November 19, 2012 4:01 PM

All replies

  • Unless you've marked a password never to expire, the pwdLastSet attribute controls this.  The only values you can write to pwdLastSet are 0 (which requires an immediate reset) and, if the current value is already 0, assigning -1 will set it to the current time, effectively delaying the user's next password reset as if they had just updated it.  It is not possible to write arbitrary values into pwdLastSet.

    If you really want non-expiring passwords--although this is not good security practice--refer here as a reference to userAccountControl's various bit flags: http://support.microsoft.com/kb/305144

    Monday, November 19, 2012 4:01 PM
  • Aaa, I see.

    In fast I dont want non-exiring passwords, but what I want to do is to is:

    • Register user in Portal - email initial password to external (non domain) address
    • Let user login to a system via ADFS , since I am sending them in via that I cannot have them change the password on first logon. When they login with the created and emailed password they can use the OTPR SSPR feature to change the password to a more "friendly" password.

    Their passwords will expire, but i will handle that propblem with notifications later.

    So I was sure I needed to set the userAccountControl  flag to try this, but thanks, I will try using the -1 as an initial flow and see what is the result.


    Rob

    Monday, November 19, 2012 4:32 PM
  • Hey Steve,

    when I flow -1 as a value, I get a syntax violation, when I change it back to 0 it works fine, should I be using a type string instead of number ?

    Rob


    Rob

    Monday, November 19, 2012 7:35 PM
  • pwdLastSet is a 64-bit signed integer field in AD; I've never tried to assign to it from a Portal rule or action--only LDAP--so stringifying it is probably worth a try, but I can't anticipate whether that'll work or not.  Experience suggests that the FIM Sync engine will refuse to see it as anything other than numeric.
    Monday, November 19, 2012 7:49 PM